Cryptographic primitives, error coding, and pseudo-random number improvement methods using quasigroups

ABSTRACT

Stream ciphers, including synchronous stream ciphers, self-synchronizing stream ciphers, and totally asynchronous stream ciphers, employ a working key and a quasigroup transformation, where the quasigroup used is based on an initial secret key. Error-correction and pseudo-random number generation improver methods also employ quasigroup transformations.

PRIORITY CLAIM

The present application claims the benefit of U.S. Provisional Application Ser. No. 60/618,173, filed Oct. 13, 2004, under 35 U.S.C. § 119.

TECHNICAL FIELD

A general field of the invention is transmission of information. A more particular field of the invention is data encryption/decryption. Another more particular field of the invention is error coding. Yet another more particular field of the invention is pseudo-random numbers.

BACKGROUND ART

Cryptography may be used to provide data integrity and/or data security for data communication. The latter can be important to protect the data communicated over a channel, including wired and wireless channels. One type of encryption makes use of a stream cipher. As opposed to block ciphers, which are characterized by production of a same block output in response to a same block input, stream ciphers can give different outputs at different times in response to an identical input. A stream cipher converts an input string (such as a message) into an encrypted output string (such as a ciphertext) using an input called a seed or key, with the goal that parties lacking the key will view the encrypted string as a random sequence. The level of encryption and, to some extent, the resources devoted to encryption determine the level of security (or randomness) to other parties.

Stream ciphers provide improved security over block ciphers, due to the lack of a fixed output response to a particular input. There exist in the art self-synchronizing (sometimes called asynchronous) and synchronous ciphers. In a synchronous stream cipher, later outputs from a decrypted stream do not suffer from an error that occurred during the transmission (excepting an error on the actual erroneous bit or group (block) of bits). When an error affects the decrypted stream, a self-synchronizing stream cipher is being employed. Self-synchronizing cipher stream methods permit the correct decryption of the stream after an error results in a number of blocks being decoded or transmitted erroneously.

Block and stream ciphers, and cryptography or transmission methods in general, make use of some important support methods. As an example, (pseudo-) random number generation is used in ciphers. Pseudo-random numbers are generated, for example, to provide seed or basis numbers for ciphering and deciphering methods. As another example, error correcting codes, which may be used to improve communication generally, particularly over noisy channels, may also provide benefit in cipher methods.

DISCLOSURE OF THE INVENTION

According to preferred embodiments of the present invention, a number of stream ciphers, including synchronous stream ciphers, self-synchronizing stream ciphers, and totally asynchronous stream ciphers, are provided that employ a working key and a quasigroup transformation, where the quasigroup used is based on an initial secret key. Error-correction and pseudo-random number generation improver methods are provided as well, both of which also employ quasigroup transformations.

BRIEF DESCRIPTION OF THE DRAWING

The FIGURE is a block diagram of a basic communication system, including a transmitter and receiver according to embodiments of the present invention.

BEST MODE OF CARRYING OUT THE INVENTION

Generally, in certain embodiments of the invention, a synchronous stream cipher with selectable key length is provided. In an exemplary embodiment, steps are provided for generating a uniformly distributed keystream that is additively combined with a stream of plaintext data to generate an encrypted output stream. The keystream generation steps include determining a working quasigroup transformation based on a secret initial key, and using the working quasigroup to generate the keystream. The preferred synchronous stream cipher also provides a computationally infeasible barrier to attack. The key length may be varied to improve security of the cipher without re-designing algorithms for encrypting and decrypting as the key size increases. For sufficiently small key sizes, operations can be pipelined in hardware or firmware implementations.

In other embodiments of the present invention, a self-synchronizing stream cipher with variable key length is provided, again without the need to re-design algorithms for encrypting and decrypting as the key size increases. In particular embodiments of the self-synchronizing stream cipher, encryption and decryption are performed by determining a working quasigroup based on a secret initial key, and encrypting or decrypting a message as a function of a working key, the working quasigroup, and a fixed number of letters of the message to be encrypted or decrypted. As with the preferred synchronous stream cipher, the preferred self-synchronizing stream cipher is computationally infeasible to attack, and with a sufficiently small input key can be pipelined in hardware or firmware implementations.

In still other embodiments of the invention, a new type of cipher, a totally asynchronous stream cipher is provided wherein an output stream is generated as a function of a working key, a working quasigroup determined based on an initial key, and a fixed number of previous letters of an input stream. This type of cipher has been shown to be secure against various attacks by adversaries. The synchronous cipher, self-synchronizing cipher, and asynchronous cipher are examples of cryptographic primitives that may be implemented according to embodiments of the present invention using quasigroups. As used herein, the term “quasigroup” refers to quasigroups or any algebraic object equivalent thereof.

Other embodiments of the invention provide a method for correcting errors in binary symmetric channels, by mapping blocks of a message to a codeword, wherein the mapping is iterative and, for an arbitrary codeword, the distribution of substrings of C of length r is uniform. This mapping, according to preferred embodiments, is performed using a quasigroup transformation. Preferred embodiments provide low bit error rates, e.g., in the range of 10⁻⁵ with blocks of a few hundred bits, comparing favorable to Turbo Coding and LDPC that accomplish such bit error rates with blocks of several thousand bits.

Yet other embodiments of the invention provide an improver to improve the output of a pseudo-random number generator. Output weaknesses in the generator are addressed by the improver. Improver embodiments can enlarge the period of a pseudo-random string to any desired length. Pseudo-random strings may be made uniform in the sense that the distributions of letters, pairs of letters, triples, and generally k-tuples may be made uniform. The preferred improver does not relay the properties of a generator, and can function even when a generator produces a trivial output (consisting, for example, of only letter string). Preferred improvers take into account properties that have been recognized in quasigroup string transformations. Complexity is linear (O(n)) where n is the length of the input pseudo-random string) and hence the improver is very fast. It is flexible and can work over alphabets of n-bits letter for every n>1. Embodiments of the improver may be implemented in a memory space less than 1 Kb, for example. An improver of preferred embodiments accepts a pseudo-random string of low quality. The string is transformed using a quasigroup of a selectable order, and the number of transformations may be selectable as well. A high-quality pseudo-random string is output by the improver.

Referring to the FIGURE, methods of the present invention may be implemented in a transmitter 10 and/or receiver 12 used in a communication system 14. The transmitter 10 receives a message 16 from an information source 18, and may encrypt the message (or improve the message, if error coding or pseudo-random number improvement is used) for transmission of a signal via a channel 20. As will be appreciated in the art, the channel 20 may be noisy. The receiver 12 receives the signal (encrypted message, message containing errors, pseudo-random number, etc.), and may decrypt the signal message and/or correct errors in the signal to produce the decrypted or corrected message 22, which is sent to a destination 24.

It is contemplated that the transmitter 10 and/or receiver 12 may be configured to implement one or more methods of the present invention. It is further contemplated that a computer-readable medium, a chip, a propagated signal, a computer, etc. may be used to implement, or cause to be implemented, one or more of the methods of the present invention. Various methods according to aspects of the present invention will now be discussed.

In a first type of embodiment of the present invention, a flexible additive stream cipher, referred to herein as EdonX, is provided with provable security that transforms input stream of tuples of bits, preferably nibbles (i.e. 4-tuples of bits). The length of the key of EdonX is variable and can be any string of n nibbles. EdonX is defined by using quasigroup string transformations and its security is based on the mathematical properties of quasigroups and quasigroup string transformations. EdonX uses, in a preferred embodiment, a quasigroup of order 16 that can be stored in 128 bytes and, together with the internal memory and the executable code, it can be implemented in less than 1 Kb. Consequently, in a preferred embodiment, EdonX is suitable for hardware implementation in embedded systems.

Generally, stream ciphers encrypt individual characters (usually binary digits) of a plaintext message one at a time, using an encryption transformation which varies with time, while block ciphers simultaneously encrypt groups of characters of a plaintext message using a fixed encryption transformation. To address the problem of designing a cryptographically strong and highly qualitative stream cipher, a flexible additive stream cipher is disclosed, EdonX, with provable security that transforms input stream of nibbles (i.e. 4-tuples of bits). The length of the key of EdonX is variable and can be any string of n nibbles, but we suggest n≧32 for security reasons. EdonX is defined by using quasigroup string transformations and its security is based on the mathematical properties of quasigroups and quasigroup string transformations. The design of EdonX uses a quasigroup of order 16 that can be stored in 128 bytes and, together with the internal memory and the executable code, it can be implemented in less than 1 Kb. Consequently, EdonX is suitable for hardware implementation in embedded systems.

We will briefly mention the definition of the synchronous stream ciphers as it is defined in A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography, CRC Press, Inc., 1997.

Definition 1 A synchronous stream cipher is one in which the keystream is generated independently of the plaintext message and of the ciphertext.

The encryption process of a synchronous stream cipher can be described by the equations

σ_(i+1)=ƒ(σ_(i) ,k),z _(i) =g(σ_(i) ,k),c _(i)=(z _(i) ,m _(i))

where σ₀ is the initial state and may be determined from the key k, f is the next-state function, g is the function which produces the keystream z_(i) and h is the output function which combines the keystream and plaintext m_(i) to produce ciphertext c_(i).

Definition 2 A binary additive stream cipher is a synchronous, stream cipher in which the keystream, the plaintext and the ciphertext digits are binary digits, and the output function h is the XOR function ⊕.

EdonX stream cipher according to preferred embodiments is a binary additive stream cipher. EdonX is defined by using quasigroup operations and quasigroup string transformations. Here we give a brief overview, noting that the term “quasigroups” as used herein may also refer to an algebraic object equivalent of a quasigroup.

Definition 3 A quasigroup (Q,*) is a groupoid satisfying the law

(∀u,vεQ)(∃!x,y,εQ)u*x=v & y*u=v.

Here we will use only finite quasigroups, i.e., Q is a finite set. Closely related combinatorial structures to finite quasigroups are the so called Latin squares:

Definition 4 A Latin square L on a finite set Q of cardinality IQI=n is an n×n-matrix with elements from Q such that each row and each column of the matrix is a permutation of Q.

To any finite quasigroup (Q,*) given by its multiplication table it is associated a Latin square L, consisting of the matrix formed by the main body of the table, and each Latin square L on a set Q define a quasigroup (Q,*).

A relation of isotopism and autotopism between two quasigroups are defined as follows.

Definition 5 A quasigroup (K,*) is said to be isotopic to a quasigroup (Q,•) if there are bijections α, β, γ from K onto Q such that γ(x*y)=α(x)·β(y) for each x,yεK. Then the triple (α,β,γ) is called an isotopism from (K,*) to (Q,•).

An autotopism of (K,*) is an isotopism of (K,*) into itself. We denote by Autotope (K,*) a quasigroup obtained from (K,*) by some autotopism. Note that there are no more than |K|³ quasigroups autotopic to (K,*). If α=1 and β=1 are identity permutations and γ is a transposition, then we denote by γ(K,*) the quasigroup autotopic to (K,*) under the autotopism (1,1,γ).

The multiplication of two autotopisms (α,β,γ) and (α′,β′,γ′) is defined componentwise, i.e.

(α,β,γ)(α′,β′,γ′)=(αα′,ββ′,γγ′)

The following property will be used in proving the security of EdonX:

Proposition 1 The set Γ of all autotpisms of a quasigroup (Q,*) is a group under the operation of multiplication of autotopisms.

This property is further explained in Denes, J., Keedwell, A. D.: Latin Squares and their Applications, English Univer. Press Ltd., 1974. Given a quasigroup (Q,*) five new operations, so called parastrophes or adjoint operations, can be derived from the operation *. We will need only the following two, denoted by \ and / (referred to as left and right parastrophes), and defined by:

x*y=z

y=x\z

x=z/y.

Then the algebra (Q, *, \, /) satisfies the identities

x\(x*y)=y,x*(x\y)=y,(x*y)/y=x,(x/y)*y=x

and (Q,\), (Q,/) are quasigroups too.

Next, we define the method of quasigroup string transformations. Consider an alphabet (i.e. a finite set) Q, and denote by Q+ the set of all nonempty words (i.e. finite strings) formed by the elements of Q. The elements of Q+ will be rather denoted by a₁a₂, . . . a_(n) than (a₁, a₂ . . . a_(n)), where a_(i)εQ. Let * be a quasigroup operation on the set Q, i.e. consider a quasigroup (Q,*). For each aεQ we define two functions e_(a,*),d_(a,*): Q+→Q⁺ as follows.

Let a_(i)εQ, α=a₁a₂, . . . a_(n). Then

e_(a,*)(α)=b₁b₂ . . . b_(n)

b₁=a*a₁, b₂=b₁*a₂, . . . , b_(n)=b_(n−1)*a_(n), as shown in this table:

i.e. b_(i+1)=b_(i)*a_(i+1) for each i=0, 1, . . . , n−1 where b₀=a, and

d _(a,*)(α)=c ₁ c ₂ . . . c _(n)

c ₁ =a*a ₁ , c ₂ =a ₁ *a ₂ , . . . , c _(n) −a _(a−1) *a _(a)

as shown in this table:

i.e. c_(i+1)=a_(i)*a_(i+1) for each i=0, 1, . . . , n−1 where a₀=a.

The functions e_(a,*), d_(a,*)are called e- and d-transformation of Q+ based on the operation * with leader a.

For example, take Q={0, 1, 2, 3} and let the quasigroup (Q,*) and its parastrophe (Q,\) be given by the multiplication scheme in the following table:

* 0 1 2 3 \ 0 1 2 3 0 2 1 0 3 0 2 1 0 3 1 3 0 1 2 1 1 2 3 0 2 1 2 3 0 2 3 0 1 2 3 0 3 2 1 3 0 3 2 1

Consider the string M=0 0 1 0 2 3 0 0 1 2 0 0 1 0 0 2 0 0 0 3 and choose the leader 0. Then by the transformation e_(0,*) we will obtain the transformed string C=e_(0,*)(M)=2 1 0 2 3 1 3 0 1 1 3 0 1 3 0 0 2 1 3 1 and by the transformation d_(0,\) we will obtain the string D=d_(0,\)(M)=2 2 1 1 0 2 0 2 1 3 3 2 1 1 2 0 3 2 2 3.

If we apply the transformation d_(0,\) on the string C or the transformation e_(0,*) on the string D we will obtain the original string M. In fact, the following property is true, as discussed in Markovski, S., Gligoroski, D., Bakeva, V.: Quasigroup String Processing: Part 1, Maced. Acad. of Sci. and Arts, Sc. Math. Tech. Scien. XX 1-2, (1999) 13 28:

Proposition 2 For each string MεQ⁺ and for each leader lεQ it holds that d_(l,\)(e_(l,*)(M))=M=e_(l,*)(d_(l,\)(M)), i.e. e_(l,*) and d_(l,\) are mutually inverse permutations of Q+.

Preferably, EdonX operates on nibles, i.e. on 4-bit variables, and consequently it uses a quasigroup (Q,*) of order 16 for doing quasigroup string transformations on the streams of data. So, the values of the corresponding Latin square are represented by 4 bits. The same holds for the values of the working key K, which is stored in n internal variables K_(i) i.e. K=K₀K₁ . . . K_(n−1) and the variables K_(i) have values in the range {0, 1, . . . , 15}. The i-th value of K will be also denoted by K[i]=K_(i)).

EdonX uses an initial secret value K_(in)=K_(in)[0]K_(in)[1] . . . K_(m)[n−1] of the working key K in the initialization phase. The initial quasigroup (Q,•) of order 16 can be secret or public. By the secret information stored in K_(in), EdonX makes transformations on the initial quasigroup (Q,•) and on the values of K_(in) too. EdonX uses also two temporal 4-bit variables T and X, and one additional integer variable Counter, in a preferred embodiment. The decryption function of EdonX is the same as the encryption function.

The EdonX encryption (and decryption) function is defined by the procedure that follows. The operation * is the quasigroup operation obtained by an autotopism from the operation • of the given initial quasigroup. The operation ⊕ is the bitwise XOR operation on nibles (i.e. 4-bit letters). The number m=maxn, 64 represents the length of the working key and it depends of the length n of the initial key, but for security reasons we take m≧64. The initialization phase is described later on by a separate procedure.

EdonX encryption and decryption Phase 1. Initialization From the secret initial key K_(in) of length n obtain the new working key K of length n and new quasigroup (Q,*) ← Autotope(Q,•). Phase 2. En(De)cryption 1. $\left. {Counter}\leftarrow 0 \right.;{p = \left\lfloor \frac{m}{2} \right\rfloor};$ 2. X ← K[Counter mod n]; 3. T ← K[Counter + p mod n]; 4. For i = 0 to m − 1 do begin X ← K_(i) * X; T ← T · X; K_(i) ← X; end; K_(m−1) ← T; 5. Output: X ⊕ InputNible; 6. Counter ← Counter + 1; 7. Go to 2;

A very important phase of the algorithm is the Initialization phase. It incorporates already known techniques in cryptographic algorithms such as padding, expanding and transforming the secretly shared initial key K_(in). The information from expanded and transformed key K_(in) is then used to transform the initially given quasigroup as well as to set the initial values of m nibles of the working key K. The length n of the initial key (in nibles) can be any positive integer, larger n for higher security (and as it is always the case, the price for the security is the speed of the system); we propose 32≦n≦255. This flexibility of the choice of the key is a significant feature of EdonX.

The initialization phase is described by the following algorithm:

Initialization of EdonX Phase 1. Input of initial key  1. Input: n - the initial length of the secret key (an integer) and   K_(in) = K₀||K₁||...||K_(n−1) (K_(i) are nibles) Phase 2. Padding the key  2. Set K_(in) = K_(in)||n₁||n₂   where n₁ is the most significant and   n₂ is the least significant nible of n. Phase 3. Expanding the key to 512 nibles  3. Set K_(ex) = K_(in)||K_(in)||...||K_(in)||K′   where K′ consists of the first l nibles of K_(in)   such that the total length of K_(ex) is 512 nibles. Phase 4. Transformation of K_(ex) with the given      quasigroup (Q,•) of order 16  4. For i = 0 to 511 do   begin    Set leader = K_(in)[i mod (n + 2)];    K_(ex) ← e_(leader),•(K_(ex));    K_(ex) ← RotateLeft(K_(ex));   end; Phase 5. Transformation (Q,*) ← Autotope(Q,•)  5. (Q,*) ← (Q,•);   For i = 0 to 511 step 8 do    begin     Set row₁ = K_(ex)[i]; Set row₂ = K_(ex)[i + 1];     (Q,*) ← SwapRows(Q,row₁,row₂);     Set column₁ = K_(ex)[i + 2]; Set column₂ = K_(ex)[i + 3];     (Q,*) ← SwapColumns(Q,column₁,column₂);     Set γ = (K_(ex)[i + 4], K_(ex)[i + 6]);     (Q,*) ← γ(Q,*);    end; Phase 6. Setting the working key K (the last m nibles of K_(ex))  6. Set K = K₀||K₁||...||K_(m−1) = K_(ex)[512 − m]||...||K_(ex)[511]

We should clarify several operations and symbols that are used in the initialization phase. First, K_(in) means the initial key, K_(ex) means expanded key and the symbol II means concatenation of 4-bit letters. Then the notification K_(in)[j] means the j-th nible of the K_(in). The function RotateLeft (K_(ex)) cyclically rotates the values of the K_(ex) such that K_(ex)[i]←K_(ex)[i+1], i=0, 1, 2, . . . , 510 and K_(ex)[511]←K_(ex)[0] The name of the functions SwapRows and SwapColumns speaks for themselves—they are functions by which the rows or columns of a quasigroup are swapped.

At the end of the initialization phase, we obtain two working structures that are not known to the adversary. Namely, the first unknown structure is the working quasigroup (Q,*) that is an autotope of the original quasigroup Q(•) and it is one of about (16!)³≈2¹³² autotopes, and the second unknown structure is the working key K of length 4m bits (m nibles) that replaces original initial secret key K_(in). (However, the exact number of the autotopism classes of quasigroups of order 16 is not known; the best known publicly available result is for quasigroups of order 11).

An example will now be presented of an initialization, encryption and decryption operation with simplified (2-bit) EdonX. This example works on the principles of EdonX but, for the simplicity of the explanation, instead of using quasigroup of order 16, we use quasigroup of order 4. Accordingly, instead of nibles, we work with 2-bit letters (i.e. 0, 1, 2 and 3). Moreover, instead of using expanded key of the length 512, we shorten it to the length of 16, and we also take m=n. In fact, we change the Phase 5 of the Initialization Phase of EdonX to the following simple form:

Phase 5 (example). Transformation (Q,*) ← Autotope(Q,•)  5. (Q,*) ← (Q,•);   For i = 0 to 16 step 4 do    begin     Set row₁ = K_(ex)[i]; Set row₂ = K_(ex)[i + 1];     (Q,*) ← SwapRows(Q,row₁,row₂);     Set column₁ = K_(ex)[i + 2]; Set column₂ = K_(ex)[i + 3];     (Q,*) ← SwapColumns(Q,column₁,column₂);     Set γ = (K_(ex)[i + 1],K_(ex)[i + 3]);     (Q,*) ← γ(Q,*);    end;

Let the initial quasigroup (Q,•) be the same as in the previous example:

• 0 1 2 3 0 2 1 0 3 1 3 0 1 2 2 1 2 3 0 3 0 3 2 1

Set the initial value to be K_(in)=1 3 1 in nibles. Since the length of K_(in) is 3, and since representation of the number 3 with two 2-bit letters is 0011=00∥11), we pad K_(in) and obtain K_(in)=1 3 1 0 3. Then by concatenating K_(in) several times we obtain K_(ex) of length 16, i.e. K_(ex)=1 3 1 0 3 1 3 1 0 3 1 3 1 0 3 1. Then transforming the expanded key by e_(l,*)-transformations where the leaders l are cyclically taken to be the values of the padded K_(in) we obtain the final value of K_(ex). In the following table we summarize those transformations.

Leader K_(ex) 1 3 1 0 3 1 3 1 0 3 1 3 1 0 3 1 1 0 3 3 0 3 3 1 0 2 0 1 2 2 1 2 2 RotateLeft 3 3 0 3 3 1 0 2 0 1 2 2 1 2 2 0 3 1 2 1 2 0 1 3 2 1 0 0 0 1 1 1 3 RotateLeft 2 1 2 0 1 3 2 1 0 0 0 1 1 1 3 1 1 1 0 0 2 2 0 0 1 3 0 2 2 2 2 0 1 RotateLeft 0 0 2 2 0 0 1 3 0 2 2 2 2 0 1 1 0 2 1 1 1 3 0 1 2 1 1 1 1 1 3 3 3 RotateLeft 1 1 1 3 0 1 2 1 1 1 1 1 3 3 3 2 3 3 3 3 1 3 3 2 2 2 2 2 2 0 3 1 1 RotateLeft 3 3 1 3 3 2 2 2 2 2 2 0 3 1 1 3 1 2 0 1 2 0 0 0 0 0 0 0 2 0 1 0 3 RotateLeft 0 1 2 0 0 0 0 0 0 0 2 0 1 0 3 2 3 0 1 1 3 0 2 1 3 0 2 3 0 1 3 1 1 RotateLeft 1 1 3 0 2 1 3 0 2 3 0 1 3 1 1 0 1 0 1 2 1 1 0 3 0 0 3 0 1 2 2 2 1 RotateLeft 1 2 1 1 0 3 0 0 3 0 1 2 2 2 1 0 0 1 1 0 1 3 1 3 0 3 0 1 1 1 1 0 2 RotateLeft 1 0 1 3 1 3 0 3 0 1 1 1 1 0 2 1 3 3 0 1 2 2 0 2 0 2 2 2 2 2 1 1 0 RotateLeft 0 1 2 2 0 2 0 2 2 2 2 2 1 1 0 3 1 3 3 2 3 0 0 2 3 2 3 2 3 3 3 0 3 RotateLeft 3 2 3 0 0 2 3 2 3 2 3 3 3 0 3 3 3 1 1 2 1 3 2 0 0 3 2 0 3 1 3 1 2 RotateLeft 1 2 1 3 2 0 0 3 2 0 3 1 3 1 2 1 1 0 0 1 2 3 0 2 0 0 2 0 1 2 2 3 3 RotateLeft 0 1 2 3 0 2 0 0 2 0 1 2 2 3 3 0 0 2 2 3 1 3 2 1 3 2 1 0 0 0 3 1 3 RotateLeft 2 3 1 3 2 1 3 2 1 0 0 0 3 1 3 2 3 2 0 1 2 3 3 1 1 0 2 1 3 1 0 3 2 RotateLeft 0 1 2 3 3 1 1 0 2 1 3 1 0 3 2 2 1 3 3 2 0 3 3 3 0 0 1 2 2 1 2 3 2 RotateLeft 3 2 0 3 3 3 0 0 1 2 2 1 2 3 2 3

With the last values K_(ex)=3203330012212323 we start interatively to swap the rows, to swap the columns and to transpose the elements of the initial quasigroup (Q,•) in order for its autotope to be obtained. So, first we swap the rows 3 and 2, then the columns 0 and 3, then we transpose the elements 2 and 3, and so on, as it is shown in the tables below.

The last obtained quasigroup is the working quasigroup (Q,*) that will be used for encryption and decryption:

* 0 1 2 3 0 1 3 0 2 1 2 0 3 1 2 3 1 2 0 3 0 2 1 3

The working key K takes the last n=3 letters of K_(ex) and becomes K=323.

Now, let us encode a plaintext message M=30102300. The calculations performed with a preferred embodiment of EdonX are shown in the following table.

Counter = 0 Counter = 1 Counter = 2 Counter = 3 K X T K X T K X T K X T : 3 2 0 1 0 0 1 0 0 3 3 0 3 0 3 0 1 1 1 0 2 1 2 0 2 0 1 3 1 0 3 0 1 2 2 3 0 1 1 0 0 0 1 3 3 2 3 Input M 3 0 1 0 Output 3 0 0 2 C = X + M Counter = 4 Counter = 5 Counter = 6 Counter = 7 K X T K X T K X T K X T : 1 3 0 3 0 2 1 2 0 0 3 1 3 0 0 0 1 2 1 0 1 1 1 1 0 1 2 0 2 1 2 1 2 1 2 3 2 0 0 0 2 2 1 2 2 2 1 Input M 2 3 0 0 Output 0 3 1 2 C = X + M

Since EdonX is a binary additive stream cipher, the calculations for the decrypting phase are the same, and the only difference would be in the last two rows (in that case input would be C, and output M=X⊕C).

In the beginning

${{Counter} = 0},{p = {\left\lbrack \frac{3}{2} \right\rbrack = 1}}$

and the initial working key K has the value K=323=3∥2∥3, the value of X is X=K[Counter mod 3]=K₀=3 and the value of T is T=K[(Counter+p) mod 3]=K₁=2. Then, according to the algorithm, we obtain the intermediate values of X and T and the new values of the key K as follows. For i=0 we have X←X₀=K₀*X=3*3=3, T←T=T₀=T·X=2·3=1, K₀←X=3, for i=1 we have X←X₁=K₁*X=2*3=0, T←T₁=T·X=0·0 =2, K₁←X=0 and for i=2 we have X←X₂=K₂*X=3*0=0, T←T·X=1·0=1, K₂←X=0. After that we change the value of K₂ to K₂←T=1. In such a way we obtained that the new working key for Counter=1 is K=K₀K₁K₂=X₀X₁T₂=301 and we have the output value C₀=X⊕M₀=0⊕3=3. All of the computations for Counter=0, Counter=1, . . . , Counter=7 are given in the table above. Thus, the input plaintext string M=30102300 was encrypted into the ciphertext string C=30020312.

Next we will discuss and demonstrate security benefits of preferred embodiments of the synchronous stream cipher EdonX. Considering the security we assume that the length n of the initial secret key K_(in) is at least 32. We assume also that the adversary has possibility of chosen plaintext/ciphertext attack, i.e. she/he can choose a plaintext and can obtain the corresponding ciphertext, and that the initial quasigroup (Q,•) and the length n of the initial key are public. Further, we assume that the initial value of the secret key K_(in) as well as the internal states of the cipher: working key K, working quasigroups (Q,*) and the values of X and T are not known to the adversary and that she/he can not access them physically. We consider that the adversary will have broken EdonX if she/he will be able to reconstruct successfully some part of the working key K and of the values of X and T.

We have been able to show that without the knowledge of the initial key K_(in) there is no computationally feasible way of knowing the working quasigroup (Q,*) and the starting values of the working key K. We will give proofs that the adversary cannot effectively obtain information of the part of the working key K and of the values of X and T in the subsequent steps. In the analysis that follows, we use the following property of quasigroup strings transformations:

Proposition 3 Let (Q,*) be a quasigroup, α be an arbitrary string of Q⁺, and e_(l,*) be transformation with leader l. If we apply e_(l,*) on α k times, the obtained string β=(e_(l,*))^(k)(α) has uniform distribution of the letters, pairs of letters, . . . , k-tuple of letters.

To analyze the EdonX initialization phase, the initial value of the key K_(in) by our assumptions, can have a length at least 128 bits. The padding of K_(in) by the information of how long was the initial key is standard procedure in other well known cryptographic primitives such as hash functions. Its role is to eliminate the possibility of obtaining the same result with two different initial keys. For example, if we don't have a padding then the initial keys

$K_{{in},1} = {{\underset{\underset{32}{}}{0{\ldots 0}}\mspace{14mu} {and}\mspace{14mu} K_{{in},2}} = \underset{\underset{33}{}}{0{\ldots 0}}}$

would produce the same working key K. On the other hand, the padding ensures us that the starting expanded keys K_(ex) will be different for different initial keys K_(in) The expanded key K_(ex) has length of 512 nibles. It is transformed 512 times by the publicly known quasigroup (Q,•) of order 16. By Proposition 3 we have the following corollary:

Corollary 1 The distributions of letters, pairs of letters, triples of letters, . . . in the key K_(ex) are uniform.

The uniformity of the distribution of the keys K_(ex) imply the uniformity of distributions of the working keys K. Since the length of K is at least 64 nibles, i.e. 256 bits, the adversary can guess the working key with probability not larger than 2⁻²⁵⁶.

As a consequence of Corollary 1 we have the following property too:

Theorem 1 The working quasigroup (Q,*) is randomly obtained autotope of the initial quasigroup (Q,•)

Proof: In Phase 5 of the Initialization of EdonX during the process of iterations we swap the rows (row₁row₂) and the columns (column₁column₂) and we apply the transpositions γ. This means that in each iteration step we apply the autotopism (α,β,γ), where α=(row₁row₂), β=(column₁column₂) are permutations, i.e. transpositions, over the iterated quasigroup. So, after each iterative step in Phase 5 we obtain a quasigroup that is an autotope of the input one. By Proposition 1, the working quasigroup (i.e. the final output of Phase 5) is a quasigroup that is an autotope of the initial quasigroup under an autotopism (α′,β′,γ′). The permutations α′, β′, γ′ are in fact the products of all 64 transpositions α=(row₁row₂) β=(column₁column₂) and γ respectively obtained during the Phase 5. Since each permutation on a 16-element set can be presented as a product of no more than 15 trans-positions, and the transpositions α, β, γ are obtained from the random key K_(ex), we have that α′, β′ and γ′ are any of the possible 16! permutations. As a consequence we have that the working quasigroup can be any autotope of the initial public quasigroup.

Since there are about 16!³≈2¹³² autotopisms on a quasigroup of order 16, we found that the working quasigroup can only be guessed with probability of about 2⁻¹³².

To analyze the EdonX encryption/decryption phase, from the previous section we have that the working quasigroup (Q,*) and the starting working key K=K₀K₁ . . . K_(n−1)=K_(−1.0)K_(−1.1) . . . K_(−1,n−1) are not known to the adversary. Why we denote K_(j) by K_(−1,j) will be clear by the following.

Let the adversary choose one pair (M,C)=((M₀M₁ . . . ), (C₀C₁ . . . )) of plaintext/ciphertext string. Further we use the following notation: In the situation Counter=i instead of notation K_(j) (j=0, 1, . . . , n−1) we will use the notation K_(i,j). The same notation will be used for the variables X and T, i.e. the notation X_(i,j)(T_(i,j)) means the variable X(T) when Counter=i in its j-th iteration.

So, by the encryption/decryption algorithm of EdonX for Counter=i(iε{0, 1, 2, . . . }) the adversary can obtain the following system of equations (note that

$p = \left\lbrack \frac{m}{2} \right\rbrack$

is a constant):

X _(i,0) =K _(i−1.0) *K _(i−1,i mod m)

T _(i,0) =K _(i−1,i+p mod m) ·X _(i,0)

X _(i,1) =K _(i−1,1) *X _(i,0)

T _(i,1) =T _(i,0) ·X _(i,1)

X _(i,64) =K _(i−1,64) *X _(i,63)  (4)

T _(i,64) =T _(i,63) ·X _(i,64)

X _(i,m−1) =K _(i−1,m−1) *X _(i,m−2)

T _(i,m−1) =T _(i,m−2) ·X _(i,m−1)

X _(i,m−1) ⊕M ₀ =C ₀

From the last equation above the adversary can get the value of X_(i,n−1)=C₀⊕M₀, since M₀, C₀ are known. The rest of the above set is equivalent to the following system of m+1, m≧64, quasigroup equations with 2m unknown variables K_(i−1, 0), . . . , K_(i−1,m−1), . . . X_(i,0), . . . , X_(i,m−2), T_(i,m−1):

X _(i,0) =K _(i−1,0) *K _(i−1,i mod m)

X _(i,1) =K _(i−1,1) *X _(i,0)

X _(i,m−2) =K _(i−1,m−2) *X _(i,m−3)  (5)

M ₀ ⊕C ₀ =K _(i−1,m−1) *X _(i,m−2)

T _(i,m−1)=(( . . . (K _(i−1,i+p mod m))·X _(i,0))· . . . )·X _(i,m−2))·(M ₀ ⊕C ₀)

(Namely,

T _(i,1) =T _(i,0) ·X _(i,1)=(K _(i−1,i+p mod m) ·X _(i,0))·X _(i,1) T _(i,2) =T _(i,1) ·X _(i,2)=((K _(i−1,i+p mod m) ·X _(i,0))·X _(i,1))·X _(i,1))·X _(i,2) . . . )

Furthermore, the adversary does not know the working quasigroup (Q,*), hence she/he should define a quasigroup operation * on the set {0, 1, 2, . . . , 15} and then to solve the system. In fact the immediately preceding system is a system of functional equations with one unknown quasigroup operation * consisting of m+1 equations with 2m unknowns. We have the following theorem and we use the identities above in its proof.

Theorem 2 Any quasigroup (Q,*) of order 16, where Q={0, 1, 2, . . . , 15}, is a solution of the system of functional equations

x ₀ =y ₀ +y _(2 mod m)

x ₁ =y ₁ +x ₀

x ₂ =y ₂ +x ₁  (6)

x _(m−2) =y _(m−2) *x _(m−x)

a=y _(m−1) *x _(m−2)

z=(( . . . (y _(i+mod m) ·x ₀)·x ₁)· . . . )·x _(m−2))·a

with one unknown quasigroup operation *and unknown variables x₀, x₁, . . . x_(m−2), y₀, y₁, . . . y_(m−1), z over Q, where · is given quasigroup operation on Q and i(0≦i≦m−1),

$p = {\left\lbrack \frac{m}{2} \right\rbrack {\mspace{11mu} \;}{and}}$

aεQ are given.

Proof: Let * be any quasigroup operation on Q. We consider two cases.

Case 1: 0≦i≦m−2 (i.e. 0≦i mod m≦m−2)

Choose arbitrary values for the unknowns y₀,y_(i)εQ. Then we have the unique value of x₀εQ such that x₀=y₀*y_(i). Choose arbitrary value for the unknown y₁εQ, and then we have the unique value of x₁εQ such that x₁=y₁*x₀. Continuing that way, choose arbitrary value for the unknown y_(i−1)εQ and then we have the unique value of x_(i−1)εQ such that x_(i−1)=y_(i−1)*x_(i−2) Next, we compute the value of x_(i)=y_(i)*x_(i−1)εQ and after that we choose arbitrary value for the unknown y_(i+1)εQ and compute the value of x_(i+1)=y_(i+1)*x_(i)εQ, and so on. In such a way we can choose arbitrary values for the unknowns y₀, y₁, . . . y_(m−2) and from them we compute the (unique) values of the unknowns x₀, x₁ . . . , x_(m−2). Finally, from the equations a=y_(m−1)*x_(m−2) we have y_(m−1)=a/x_(m−2) εQ and then we can compute z=(y_(i+p mod m)·x₀)·x₁)· . . . )·x_(m−2))·aεQ.

Case 2: i=m−1 (i.e. i mod m=m−1)

In this case we will repeat the procedure from Case 1 in opposite order. We choose arbitrary value y_(m−1)εQ and then from the equation a=y_(m−1)*x_(m−2) we compute the value x_(m−2)=y_(m−1)\aεQ. After that we choose arbitrary values for y_(m−2), y_(m−3), . . . , y₂, y₁ εQ and after each choice we compute the values x_(j)=y_(j+1)\x_(j+1)εQ, j=m−3, m−2, . . . , 0. Finally, from the equation x₀=y₀*y_(m−1) we compute the value y₀=x₀/y_(m−1) and then we can compute z=(y_(i+p mod m)·x₀)·x₁)· . . . )·x_(m−2))·aεQ.

As a consequence of Theorem 2 we have that, for finding suitable values of the variables K_(i−1,j) and x_(i,j) in (5), the adversary will have to choose one of 16^(n)≧2¹²⁸ possible initial keys and one of 16^(m−2) or (16^(m−1))≧16⁶²=2²⁴⁸ possible solutions y_(j) of the system of functional equations shown above. All together there are at least 2³⁷⁶ possible choices.

Next, we will show that an adversary cannot break the system in feasible time if she/he uses the information from several consecutive nibles of plaintext/ciphertext strings. Namely, we will prove the following theorem:

Theorem 3 For breaking the system EdonX with probability greater than 0.5 an attacker should make at least 2¹⁹⁰ trials.

Without loss of generality, the idea of the proof of Theorem 3 can be seen from the case Counter=0 & Counter=1 & Counter=2, i.e. when it is known the plaintext/ciphertext stream M₀M₁M₂/C₀C₁C₂ of length 3. In this case the following equations can be obtained according to the encryption/decryption algorithm of EdonX (where simplifications as in (5) are made too):

X _(0,0) =K _(−1,0) *K _(−1,0)

K_(0,0)=X_(0,0)

X _(0,1) =K _(−1,1) *X _(0,0)

K_(0,1)=X_(0,1)

X _(0,m−2) =K _(−1,m−2) *X _(0,m−3)  (7)

K _(0,m−2) =X _(0,m−2)

M ₀ ⊕C ₀ =K _(−1,m−1) *X _(0,m−2)

T _(0,m−1)=(( . . . (K _(−1,p mod m) ·X _(0,0))· . . . )·X _(0,m−2))·(M _(o) ⊕C ₀)

K _(0,m−1) =T _(0,m−1)

X _(1,0) =K _(0,0) *K _(0,1)

K_(1,0)=X_(1,0)

X _(1,1) =K _(0,1) *X _(1,0)

K_(1,1)=X_(1,1)

X _(1,m−2) =K _(0,m−2) *X _(1,m−3)  (8)

K _(1,m−2) =X _(1,m−2)

M ₁ ⊕C ₁ =K _(0,m−1) *X _(1,m−2)

T _(1,m−1)=(( . . . (K _(0,1+p mod m) ·X _(1,0))· . . . )·X _(1,m−2))·(M ₁ ⊕C ₁)

K _(1,m−1) =T _(1,m−1)

X _(2,0) =K _(1,0) *K _(1,2)

K_(2,0)=X_(2,0)

X _(2,1) =K _(1,1) *X _(2,0)

K_(2,1)=X_(2,1)

X _(2,m−2) =K _(1,m−2) *X _(2,m−3)  (9)

K _(2,m−2) =X _(1,m−2)

M ₂ ⊕C ₂ =K _(1,m−1) *X _(2,m−2)

T _(2,m−1)=(( . . . (K _(1,2+p mod m) ·X _(2,0))· . . . )·X _(2,m−2))·(M ₂ ⊕C ₂)

K _(2,m−1) =T _(2,m−1)

Note that (7) corresponds to Counter=0, (8) corresponds to Counter=1 and (9) corresponds to Counter=2. Also, we have that X_(0,m−1)=M₀⊕C₀ X_(1,m−1)=M₁⊕C₁,X_(2,m−1)=M₂⊕C₂. For sake of clearness we will use the following replacement of the unknowns in (7), (8) and (9): K_(−1,i)=y_(i), K_(0,i)=z_(i), K_(1,i)=u_(i), K_(2,i)=v_(i), X_(0,i)=x_(i), X_(1,i)=x′_(i), X_(2,i)=x″_(i), T_(0,i)=t_(i), T_(1,i)=t′_(i), T_(2,i)=t″_(i). Then the system of equations consisting of (7), (8) and (9) can be rewritten as

x ₀ =y ₀ *y ₀

z₀=x₀

x ₁ =y ₁ *x ₀

z₁=x₁

x _(m−2) =y _(m−2) *x _(m−3)

z _(m−2) =x _(m−2)

M ₀ ⊕C ₀ =y _(m−1) *x _(m−2)

t _(m−1)=(( . . . (y _(p) ·x ₀)· . . . )·x _(m−2))·(M ₀ ⊕C ₀)

z _(m−1) =t _(m−1)

x′ ₀ =z ₀ *z ₁

u₀=x′₀

x′ ₁ =z ₁ *x′ ₀

u₁=x′₁  (10)

x′ _(m−2) =z _(m−2) *x′ _(m−3)

u _(m−2) =x′ _(m−2)

M ₁(┐) C₁ =z _(m−1) *x′ _(m−2)

t′ _(m−1)=(( . . . (y ₁ +p·x′ ₀)· . . . )·x′ _(m−2))·(M ₁ ⊕C ₁)

u _(m−1) =t′ _(m−1)

x″ ₀ =u ₀ *u ₂

v₀=x″₀

x″ ₁ =u ₁ *x″ ₀

v₁=x″₁

x″ _(m−2) =u _(m−2) *x″ _(m−3)

v _(m−2) =x″ _(m−2)

M ₂ ⊕C ₂ =u _(m−1) *x″ _(m−2)

t″ _(m−1)=(( . . . (y _(2+p) ·x″ ₀)· . . . )·x″ _(m−2))·(M ₂ ⊕C ₂)

v _(m−1) =t″ _(m−1)

After replacement of the unknowns x₀, . . . , x_(m−2), x′₀, . . . x′_(m−2). x″₀, . . . x″_(m−2), t_(m−1), t′_(m−1), t″_(m−1) by z₀, . . . z_(m−2), u₀, . . . u_(m−2, v) ₀, . . . , v_(m−2), z_(m−1), u_(m−1), v_(m−1) respectively, we obtain a new system of equations as it is given on the left-hand side of the following table, that is equivalent to the above system (10).

Equations Solutions (equivalent system to (10)) Choose Compute z₀ = y₀ * y₀ y₀ z₀ z₁ = y₁ * z₀ y₁ z₁ z₂ = y₂ * z₁ y₂ z₂ . . . . . . . . . z_(m−2) = y_(m−2) * z_(m−3) y_(m−2) z_(m−2) M₀ ⊕ C₀ = y_(m−1) * z_(m−2) y_(m−1) z_(m−1) = (( . . . (y_(p) • z₀) • z₁) • . . . z_(m−1) . . . ) • z_(m−2)) • (M₀ ⊕ C₀) u₀ = z₀ * z₁ u₀ u₁ = z₁ * u₀ u₁ u₂ = z₂ * u₁ u₂ . . . . . . u_(m−2) = z_(m−2) * u_(m−3) u_(m−2) M₁ ⊕ C₁ = z_(m−1) * u_(m−2) Check Point u_(m−1) = (( . . . (z_(1+p) • u₀) • u₁) • . . . u_(m−1) . . . ) • u_(m−2)) • (M₁ ⊕ C₁) v₀ = u₀ * u₁ v₀ v₁ = u₁ * v₀ v₁ v₂ = u₂ * v₁ v₂ . . . . . . v_(m−2) = u_(m−2) * v_(m−3) v_(m−2) M₂ ⊕ C₂ = u_(m−1) * u_(m−2) Check Point v_(m−1) = (( . . . (u_(2+p) • v₀) • v₁) • . . . v_(m−1) . . . ) ⊕ v_(n−2)) • (M₂ ⊕ C₂)

Proof of Theorem 3 During the proof we will use the above table. In the system of equations (10) there are an unknown quasigroup operation *, 4m unknown variables and 3 m equations. So, an adversary would have to assign arbitrary values to some of the unknown variables and then to try to solve the system. Previously, she/he would have to choose some quasigroup operation * on the set Q={0, 1, . . . , 15}. Let the adversary assign values to the unknowns Y₀, Y₁, . . . , Y_(m−2) (and that is noted in the column ‘Choose’). Using the given values for the variables Y₀, Y₁, . . . , Y_(m−2), she/he is able to compute the values for all other variables of (10). On the column ‘Compute’ it is presented the order of computing of the values of the variables Z₀, . . . , z_(m−2), y_(m−1), u₀, . . . (presented top-down). Thus, she/he first computes Z₀=Y₀*Y₀ (Y₀ has assigned value), then z₁=y₁*z₀ (y₁ has assigned value and z₀ is computed), and so on until the value of u_(m−2) is computed. Now, since z_(m−1) and u_(m−2) have already assigned values, she/he have to check if the equation M₁⊕C₁=z_(m)−1*u_(m−2) is satisfied, the situation denoted by Check Point in the above table. The check points make easier the attacks on the system in the following way. The adversary chooses a quasigroup and assigns values for y₀, . . . , y_(m−2). Then she/he at each check point checks if they are well chosen. When the answer is NO, she/he will choose new data for attack (new quasi group operation *and/or new values for Y₀, . . . , Y_(m−2)). The answer YES does not mean that the data are well chosen, since it can happen accidentally. The adversary should gather several consecutive answers YES to be sure that the system is broken.

An adversary may choose another strategy, i.e. instead of assigning the values to the variables Y₀, . . . , Y_(m−2) she/he can assign values to some other variables. Nevertheless, she/he will have to assign values to m−1 variables and will obtain the same number of check points (one less than the number of counters).

The number of all possible trials that can be produced is the product of the number of possible quasigroup operations (about 2¹³²) and the number of assignments of values for Y₀, . . . , Y_(m−2), and it is 16^(m−2)2≧16⁶²=2²⁴⁸. So, for breaking the system EdonX with probability greater than 0.5 an attacker should make at least 0.5·2380=2190 trials.

As described above, EdonX is an additive synchronous stream cipher characterized by its flexibility and mathematical provability of many of its components. We will now point out the consequences of these facts.

As to the flexibility of EdonX, we mentioned that the length n of the initial secret key of EdonX can be any positive integer and we suggested 32≧n≧256; in fact, we presented our algorithms under these restrictions. A closer look on our algorithms will show that the above restrictions are superficies and instead of using 512 nibles we could design the algorithms in the same manner by using 1024, 2048, 128 or any other number of nibles. The importance of this fact is that EdonX can satisfy different security criteria, from an average one to extreme one; thus, a very suspicious user can use a secret key of 1K (or 1M) of nibles, i.e. 4K (or 4M) of bits. For higher security, a longer initial secret key should be chosen, but the number of computations depends linearly on the length of the key. So, by predicting the possible attackers and their computational power, one can design software and/or hardware of EdonX in such a way according to the needed security to be obtained.

The flexibility of the length of the secret key allows EdonX to be used in designing threshold security. Let's consider a trivial example when the key is shared between 3 persons A, B and C, a person alone does not have the complete key, and only any two of them have the complete key. Then we take a 192 nibles secret initial key K=K₀∥ . . . ∥k₁₉₁ and we distribute in this way: Person A obtains the part K=K₀∥ . . . ∥k₁₂₇, person B the part K=K₆₄∥ . . . ∥k₁₉₁ and the person C the part K=K₀∥ . . . ∥k₆₃, K=K₁₂₇∥ . . . ∥k₁₉₁ Each person does not know 64 nibles of the secret key and there are 16⁶⁴=2²⁵⁶ possible variation for completion of the secret key. Suitable secure designs for s out of p threshold system can be defined as well.

In our analysis of the security of EdonX we supposed the worst possible case for security, and that is when only the initial key is secret and the adversary can realize chosen plaintext/ciphertext attack. The security of the system becomes much stronger if we suppose that the initial quasigroup and the length of the initial key are secret too. Thus, if the initial quasigroup is secret, instead of about (16!)³≈2¹³² autotopisms, the adversary has to consider all quasigroup operations of order 16, and the number of these is not known, but is larger than 10¹²⁰≈2⁴⁰⁰.

We can take that the length M of the initial key is secret too. In that case the attacker has to check several lengths n=k, n=k+1, n=k+2, . . . where k is not large (we can choose for example k=5 and suitable security can be obtained in some applications as well). If the attacker has the hardware or software implementation of EdonX and hence a possibility to compute the length n, we could add empty cycles during the computation of EdonX. The price for this additional security has to be paid by the time spent for the empty computations.

The specialty of the design of EdonX in a preferred embodiment is that it operates on 4-bit registers and uses two fixed lookup table that are quasigroups of order 16 that can be stored in only 256 bytes. Together with the internal memory and the execution code of the algorithms, EdonX can be implemented in less then 1 Kb. Thus, EdonX is suitable for hardware implementation as embedded system in chip cards with extremely small amount of memory, i.e. less then 1 KB memory.

One of the main divisions in the nature of the ciphers is the division of steam ciphers and block ciphers. Block ciphers always give the same clock ciphertext for the same input block of plaintext, since they use a fixed set of transformations. On the other hand, the stream ciphers give different outputs for the same sequences of plaintext because they use transformations that vary by every iteration.

In another aspect of the present invention, EdonX is a self synchronized stream cipher based on the properties of quasigroup string transformations, and that is how many of its performances are mathematically provable. EdonY, in preferred embodiments, provides a cryptographically strong and highly qualitative stream cipher. An important advantage of EdonY is the flexibility of its design, since it can work on any n-bits letter alphabet, for n=2, 3, 4, . . . . Its versions for 5 bits letters alphabet are suitable to be used for embedded systems, since they can be implemented in less than 2 Kb memory space.

EdonY is a flexible self-synchronized stream cipher with provable security that transforms an input stream of r-tuples of bits for each r≧5. The length of the key of EdonY is variable and can be any string of n r-tuples and we propose n≧32 for security reasons. EdonY is defined by using quasigroup string transformations and its security is based on the mathematical properties of quasigroups and quasigroup string transformations. The design of EdonY uses a quasigroup of order 2^(r) and for r=5 EdonY is suitable for hardware implementation in embedded systems.

EdonY is defined by using quasigroup operations and quasigroup string transformations, as defined above. Equivalent to the quasigroup definition is the conjunction of the cancellation law and the existence of solutions x, y of the equations a*x=b, y*a=b for each a,bεQ.

As with EdonX, Proposition 1, above will be used in proving the security of EdonY.

As an example, take Q={0, 1, 2, 3} and let the quasigroup (Q,*) and its parastrophe (Q,\) be given by the multiplication scheme in the table below.

e₀ 0 1 2 3 d₀ 0 1 2 3 0 2 1 0 3 0 2 1 0 3 1 3 0 1 2 1 1 2 3 0 2 1 2 3 0 2 3 0 1 2 3 0 3 2 1 3 0 3 2 1

Consider the string α=1 0 2 1 0 0 0 0 0 0 0 0 0 1 1 2 1 0 2 2 0 1 0 1 0 3 0 0 and choose the leader 0. Then by the transformations e_(0,*) and d_(0,*) we will obtain the following transformed strings e_(0,*)(α) and d_(0,*)(α):

e _(0,*)(α)=1322130213021011211133013130

d _(0,*)(α)=1302322222222101230311313302.

We present four consecutive applications of the e-transformation in the following table.

leader 1 0 2 1 0 0 0 0 0 0 0 0 0 1 1 2 1 0 2 2 0 1 0 1 0 3 0 0 = α 0 1 3 2 2 1 3 0 2 1 3 0 2 1 0 1 1 2 1 1 1 3 3 0 1 3 1 3 0 = e_(0.*)(α) 0 1 2 3 2 2 0 2 3 3 1 3 2 2 1 0 1 1 2 2 2 0 3 0 1 2 2 0 2 = e_(0.*) ²(α) 0 1 1 2 3 2 1 1 2 0 1 2 3 2 2 1 0 1 1 1 1 3 1 3 3 2 3 0 0 = e_(0.*) ³(α) 0 1 0 0 3 2 2 2 3 0 1 1 2 3 2 2 1 0 1 0 1 2 2 0 3 2 0 2 1 = e_(0.*) ⁴(α)

Now we apply four times the transformation d_(0,\) on the last obtained string β=e_(0,*) ⁴(α), as shown in the following table.

leader 0 1 0 0 3 2 2 2 3 0 1 1 2 3 2 2 1 0 1 0 1 2 2 0 3 2 0 2 1 = β 0 1 1 2 3 2 1 1 2 0 1 2 3 2 2 1 0 1 1 1 1 3 1 3 3 2 3 0 0 = d_(0.\)(β) 0 1 2 3 2 2 0 2 3 3 1 3 2 2 1 0 1 1 2 2 2 0 3 0 1 2 2 0 2 = d_(0.\) ²(β) 0 1 3 2 2 1 3 0 2 1 3 0 2 1 0 1 1 2 1 1 1 3 3 0 1 3 1 3 0 = d_(0.\) ³(β) 0 1 0 2 1 0 0 0 0 0 0 0 0 0 1 1 2 1 0 2 2 0 1 0 1 0 3 0 0 = d_(0.\) ⁴(β)

One can notice that the starting distribution of 0, 1, 2 and 3 in α: 16/28, 7/28, 4/28, 1/28 is changed to 7/28, 7/28, 10/28, 4/28 in e_(0,*) ⁴(α), hence the distribution became more uniform. Also, we have α=d_(0,\) ⁴(β)=d_(0,\) ⁴(e_(0,*) ⁴(α)). Proposition 2, above, still applies.

Several quasigroup operations can be defined on the set Q and let *₁, *₂, . . . , *_(k) be a sequence of (not necessarily distinct) such operations. We choose also leaders l₁, l₂, . . . , l_(k)εQ (not necessarily distinct either), and then the compositions of mappings

E=E _(l) _(1 . . .) _(l) _(k,*1 . . . *k) =e _(l) _(1,*1) ^(o) e _(l) _(2,*2) ^(o . . . o) e _(l) _(k,*k) ,

D=D _(l) _(1 . . .) _(l) _(k,*1 . . . *k) =d _(l) _(1,*1) ^(o) d _(l) _(2,*2) ^(o . . . o) d _(l) _(k,*k) ,

are said to be E- and D-transformations of Q+ respectively. By Proposition 2 E and D are permutations and the inverse of E=E_(l) _(1 . . . *1 . . . k) =e_(l) _(1,*1) ^(o)e_(l) _(2,*2) ^(o . . . o)e_(l) _(k,*k) is the transformation (E_(k))⁻¹=D=D_(l) _(k . . .) _(l) _(1,\k . . . M) =d_(l) _(k,*k) ^(o . . . o)d_(l) _(2,*2) ^(o)d_(l) _(1,*1) where \_(i) are the corresponding parastrophes of the operations *_(i).

Since D^(o)E=1 is the identity function, E can be used as an encryption function and D as an decryption function, and we will use just these functions in a preferred design of EdonY.

The proof that EdonY is self-synchronized will be a direct consequence of the following theorem.

Theorem 4 Let E=E_(l) _(la,*1 *n) and D=D_(l) _(a . . l.n *1) . Assume that E(b₁b₂ . . . b_(k))=c₁c₂ . . . c_(k) and d≠c_(i) for some fixed i. Then

D(c ₁ . . . c _(i−1) dc _(i+1) . . . c _(k))=b ₁ . . . b _(i−1) d ₁ . . . d _(n+1) b _(i+n+1) . . . b _(k),

for some d₁, . . . , d_(n+1)εA.

Proof: We will take n=2, i.e. E=E_(l) ₁ _(l) _(2,*t2) and D=D_(l) _(l2) _(l1,\) ₂ _(\1). for the matter of simplicity. The equality E(b₁b₂ . . . b_(k))=c₁c₂ . . . c_(k) means that for some x₁, . . . , x_(n)εA we have e_(l) _(2,*2) (b₁b₂ . . . b_(k))=x₁x₂ . . . x_(k) and e_(l) _(1,*1) (x₁x₂ . . . x_(k))=c₁c₂ . . . c_(k). Then by the definition of the e-transformation we have

l _(2*2) b ₁ =x ₁ , x _(1*2) b ₂ =x ₂ , x _(2*2) b ₃ =b ₃ =x ₃ , . . . , x _(k−1*2) b _(k) =x _(Ik),  (4)

l _(1*1) x ₁ =c ₁ , c _(1*1) x ₂ =c ₂ , c _(2*1) x ₃ =c ₃ , . . . , c _(k−1*1) x _(k) =c _(k).  (5)

Let D(c₁ . . . , c_(i−1)dc_(i+1) . . . c_(k))=z₁ . . . z_(k) for some z_(j)εA. Then there are y₁, . . . y_(n)εA such that d_(l) _(1,M) (c₁ . . . c_(i−1)dc_(i+1) . . . c_(k))=y₁ . . . y_(k) and d_(l) _(2,\2) (y₁ . . . y_(k))=z₁ . . . z_(k) By the definition of the d-transformation and (5) we have:

y₁=l_(1\1)c₁=x₁, . . . ,

y ⁻¹ =c _(i−2\1) c _(i−1) =x _(i−1).

y ₂ =c _(i−1\1) d,

y _(i+1) =d\ ₁ c _(2+1,)  (6)

y ₂ =c _(2+1\1) c ₂₊₂ =x _(i+2) . . . .

y _(k) =c _(k−1\1) c _(k) =x _(k).

2+2(y ₁ y ₂ . . . y _(k))=d _(l) ₂ (x ₁ . . . x ¹⁻¹ y ₂ y _(i+1) x _(i+2) . . . x _(k)),  (4)

Now, z₁z₂ . . . z_(k)=d_(l) _(2\2) (y₁y₂ . . . 0y_(k))=d_(l) _(2\2) (x₁ . . . x_(i−1)y_(i)y_(i+1)x_(i+2) . . . x_(k)), (4) and (6) imply

z ₁=l_(2\2)x₁=b₁ . . . .

z _(i−1)=x_(i−2) x ²⁻¹ =b _(2i−1).

z=x _(t−1\2) y ₁.

z ₁₊₁ =y _(y,\2) y ₂₊₁.

z _(y+2) =y _(y+1\2)=x₂,

z _(y+3) =x _(i+2\2)x=b_(i+3) . . . .

z _(k)=x_(k−1)=b_(k).

So, one error in the string E(b₁b₂ . . . b_(k)) propagates to n+1=2+1=3 errors in the string D(E(b₁b₂ . . . b_(k))). The following property of the function E will be used when we will discuss the security of EdonY.

Proposition 3 Let (Q,*) be a quasigroup, α be an arbitrary string of Q+, and E=E_(l) _(1 . .lk*1 . . *k) Then the string β=E(α) has uniform distribution of the letters, pairs of letters, . . . , k-tuple of letters.

In the exemplary construction of EdonY we use a quasigroup of order 32 (defined on 5-bits letters). However, quasigroups of order 64, 128, . . . can be used as well, where only slight modification of the construction should be made. In fact, any quasigroup of suitable large order can be used, and the security depends proportionally on the order of the quasigroup. Further on we take Q={0, 1, 2, . . . , 31} and the construction will be made using a quasigroup operation • on Q. We take that (Q,•) is a public quasigroup. The secret key K of EdonY is stored in n internal variables K_(i), i.e. K=K₀K₁ . . . K_(n−1) and the variables K_(i) have values in the range {0, 1, . . . , 31}. The i-th value of K will be also denoted by K[i](=K_(i)). We take that the length of the key K is n≧32, i.e. the key has at least 160 bits. As it is always the case, larger key-length means higher security, the price being paid by slower performances of the system; the same is true for the order of the quasigroup. We emphasize that this flexibility of the design is one of the best characteristics of EdonY.

The principal steps of the EdonY algorithm are the following. By using the quasigroup (Q,•) and the initial secret values of the key K we produce an unknown autotope (Q,*) of (Q,•). We encrypt the input message, i.e. the plaintext M=M₀M₁M₂ . . . , where M_(i) are 5-bits letters, letter by letter as follows. First we multiply M by the values of K and we obtain an auxiliary plaintext B=B₀B₁B₂, . . . , where

${B_{i} = {{M_{i}*K_{{i + {{\lbrack\frac{n}{2}\rbrack}{mod}\; n}},}i} = 0}},1,2,\ldots$

Then we apply on B the E-transformation E+E_(K) ₀ _(K) _(1 . . .) _(K) _(n−1,** . . . *) =e_(K) _(0,*) ^(o . . . o)e_(K) _(n−1,*) and the obtained string C=E(B)=C₀C₁C₂ . . . is the ciphertext of M. Having a ciphertext C, the auxiliary plaintext B is recovered by applying the D-transformations D=D_(K) _(n−1 . . .) _(K) ₁ _(K) _(0,) _(\ . . . \\)=d_(Kn−1,\) ^(o . . . o)d_(K) _(0,) _(\), on C, i.e. B=D(C). Finally, the original plaintext message M=M₀M₁M₂ . . . is obtained from the auxiliary plaintext B=B₀B₁B₂ . . . letter by letter as

${M_{i} = {{{B_{i}/K_{{i + {{\lbrack\frac{n}{2}\rbrack}{mod}\; n}},}}i} = 0}},1,2,\ldots$

The EdonY encryption algorithm and decryption algorithm, as shown in the following tables, are precisely defined by the following procedures, where M=M₀M₁M₂M₃ . . . (C=C₀C₁C₂C₃ . . . ) is the input (output) string of the encryption algorithm and C=C₀C₁C₂C₃ . . . (M=M₀M₁M₂M₃ . . . ) is the input (output) string of the decryption algorithm. The variables X and Y in the decryption algorithm are auxiliary 5-bits variables.

EdonY encryption algorithm Phase 1. Initialization From the secret initial key K of length n obtain the new working key and the new quasigroup (Q,*) ← Autotope(Q,•). Phase 2. Encryption 1. $\left. {Counter}\leftarrow 0 \right.;{p = \left\lfloor \frac{n}{2} \right\rfloor};$ 2. K₀ ← K₀ * (M_(Counter) * K_(Counter+p mod n)) 3. For i = 1 to n − 1 do begin K_(i) ← K_(i) * K_(i−1); end; 4. Output: C_(Counter) = K_(n−1); 5. Counter ← Counter + 1; 6. Go to 2;

EdonY encryption algorithm Phase 1. Initialization From the secret initial key K of length n obtain the new working key and the new quasigroup (Q,*) ← Autotope(Q,•). Phase 2. Decryption 1. $\left. {Counter}\leftarrow 0 \right.;{p = \left\lfloor \frac{n}{2} \right\rfloor};$ 2. X ← K_(n−1) K_(n−1) ← C_(Counter); 3. for i = n − 2 down to 0 do begin Y ← K_(i) K_(i) ← X \ K_(i+1); X ← Y end; 4. Output: M_(Counter) = (X \ K₀)/K_(Counter+p mod n); 5. Counter ← Counter + 1; 6. Go to 2;

As with EdonX, the Initialization phase uses a secret working quasigroup (Q,*) to be produced from the secret initial key and the public quasigroup (Q,•) as well as working key K. Now we suppose that the length n of the key (in 5-bit letters) is bounded by 32≦n≦510, since we want to represent the number n as a two 5-bit letter string b₉b₈b₇b₆b₅∥b₄b₃b₂b₁b₀=n₁∥n₂, where b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ is the binary representation of n. Here ∥ denotes concatenation of strings. (Of course, the algorithm can be redesigned for any length n in a straightforward way).

The initialization phase, similar to that used for EdonX, is described by the following algorithm:

Initialization of EdonY Phase 1. Input of initial key  1. Input: n - the initial length of the secret key (32 ≦ n ≦ 510)   and the initial secret value of the key   K = K₀||K₁||...||K_(n−1)   (K_(i) are 5-bits letters) Phase 2. Padding the key  2. Set K ← K_(in)||n₁||n₂   where n₁are the most significant and   n₂ are the least significant 5-bits letter of n. Phase 3. Expanding the key to 512 5-bits letters  3. Set K_(ex) = K||K||...||K||K′   where K′ consists of the first l 5-bits letters of K_(in)   such that the total length of K_(ex) is 512 5-bits letters. Phase 4. Transformation of K_(ex) with the given       quasigroup (Q, •) of order 32  4. For i = 0 to 511 do    begin     Set leader = K[i mod (n + 2)];     K_(ex)← E_(leader...leader,•...•)(K_(ex));     K_(ex)← RotateLeft(K_(ex));    end; Phase 5. Transformation (Q, *) ← Autotope(Q, •)  5. (Q, *) ← (Q, •);   For i = 0 to 511 step 8 do    begin     Set row₁= K_(ex)[i]; Set row₂= K_(ex)[i + 1];     (Q, *) ← SwapRows(Q,row₁,row₂);     Set column₁= K_(ex)[i + 2]; Set column₂= K_(ex)[i + 3];     (Q, *) ← SwapColumns(Q,column₁,column₂);     Set γ = (K_(ex)[i + 4], K_(ex)[i + 6]);     (Q,*) ← γ(Q,*);    end; Phase 6. Setting the working key K (the last n 5-bits letters of K_(ex))  6. Set K = K₀||K₁||...||K_(n−1)= K_(ex)[512 − n]||...||K_(ex)[511]

The functions RotateLeft(K_(ex)), SwapRows, and Swapcolumns operate as described above regarding EdonX.

At the end of the initialization phase, we obtain two working structures that are not known to the adversary. Namely, a first unknown structure is the working quasigroup (Q,*) that is an autotope of the original quasigroup Q(•) and it is one of about (32!)³≈2³⁵² autotopes, and a second unknown structure is the working key K of length 5n bits that replaces the original initial secret key K. (We emphasize that the exact number of the autotopism classes of quasigroups of order 32 is not known).

It follows from Theorem 4 that EdonY is self synchronized, since one error in the cipher-text C will propagate n+1 errors in the recovered plaintext M′ i.e. the original message M and M′ will differ in n+1 consecutive letters. If there will be a string of errors in C of length l then the recovered plaintext will have r+n errors. One can see from Example 1 in which way the processes of EdonY encryption and decryption work.

Security of preferred embodiments of EdonY will now be discussed. We assume that the adversary is capable to execute chosen plaintext/ciphertext attack, i.e. she/he can choose a plaintext and can obtain the corresponding ciphertext. We assume further that the initial value of the secret key K as well as the internal states of the cipher: working key K, working quasigroups (Q,*) and the values of X and Y are not known to the adversary and that she/he can not access them physically. We consider that the adversary will have broken Edon Y if she/he will be able to reconstruct in a feasible time the working key K and the working quasigroup (Q,*).

We will now show that without the knowledge of the initial key K_(in) there is no computationally feasible way of knowing the working quasigroup (Q,*) and the starting values of the working key K. In the following, we give proofs that the adversary cannot effectively obtain information of the part of the working key K and quasigroup (Q,*)

Regarding the initialization phase, the initial value of the secret key, by our assumptions, can have a length at least 32 5-bits letters, hence 160 bits. The padding of the initial key by the information of its length, as stated above, is to eliminate the possibility of obtaining the same result with two different initial keys. The exemplary expanded key K_(ex) has length of 512 5-bits letters. It is transformed 512 times by the publicly known quasigroup (Q,•) of order 32.

As with EdonX, it can be shown that the distributions of letters, pairs of letters, triples of letters, . . . in the key K_(ex) in EdonY are uniform. The uniformity of the distribution of the keys K_(ex) imply the uniformity of distributions of the working keys K. Since the length of K is at least 32 5-bits letters, the adversary can guess the working key with probability not larger than 2⁻¹⁶⁰.

Further, as with EdonX, it can be shown that the working quasigroup (Q,*) is a randomly obtained autotope of the initial quasigroup (Q,•). Since there are about 32!³≈2³⁵² autotopisms on a quasigroup of order 32, we found that the working quasigroup can only be guessed with a probability of about 2⁻³⁵².

As to the encryption/decryption phase, we have determined that the working quasigroup (Q,*) and the starting working key K=K₀K₁ . . . K_(n−1) are not known to the adversary, i.e. it is computationally infeasible to be recovered. The statistical kinds of attacks by using the distributions of s-tuples of letters are also computationally infeasible by Proposition 3. The next theorem implies that by known ciphertext attack it is computationally infeasible for the key and the quasigroup to be recovered, hence they can only be guessed with probability less than 2⁻¹⁰⁰⁰ (the number of quasigroups of order 32 is not known, but it is much larger than 2¹⁰⁰⁰).

Theorem 5 Given a ciphertext C, for each quasigroup operation * on Q={0, 1, . . . , 31} and each key K=K₀K₁ . . . K_(n−1) there is a plaintext M such that C is its ciphertext.

Proof: Let C=C₀C₁C₂ . . . , C_(i)εQ be given and let us choose an arbitrary quasigroup operation * on Q and arbitrary key K=K₀K₁ . . . K_(n−1). The encryption process of EdonY can be represented by the next table (note that

$p = \left\lbrack \frac{n}{2} \right\rbrack$

is a constant).

M₀ M₁ M₂ . . . M₀/K_(p) M₁/K_(1+p) M₂/K_(2+p) . . . K₀ T₀ S₀ R₀ . . . K₁ T₁ S₁ R₁ . . . . . . . . . . . . . . . K_(n−3) T_(n−3) S_(n−3) R_(n−3) . . . K_(n−2) T_(n−2) S_(n−2) R_(n−2) . . . K_(n−1) C₀ C₁ C₂ . . .

Since C_(i),K_(j) are given, we can compute the other variables of the table step by step as follows:

K _(n−1) *T _(n−2) =C ₀

T_(n−2) =K _(n−1) \C ₀

K _(n−2) *T _(n−3) =T _(n−2)

T_(n−3) =K _(n−2) \T _(n−2)

K ₁ *T ₀ =T ₁

T₀ =K ₁ \T ₁

K ₀*(M ₀ /K _(p))=T ₀

M₀ /K _(p) =K ₀ \T ₀

Now we have M₀=(M₀/K_(p))*K_(p) i.e. we found the first letter of the message M whose encryption is C₀. Using the known values of T_(i) we can repeat the preceding computations for getting the values for the variables S_(n−2)=C₀\C₁, S_(n−3)=T_(n−2)\S_(n−2), . . . , resulting with a value for M₁ that is encrypted by C₁. The same way we can find the values for M₂, M₃, . . . .

Another possible statistical kind of attack that can be realized on EdonY under known ciphertext is by producing a dictionary of n+1-tuples of ciphertext, where n is the length of the key. We will use the next table to explain how that kind of attack can be realized, and we take n=3 for matter of simplicity. We suppose that the adversary has a ciphertext C₀C₁ . . . C_(i)C_(i+1) . . . .

. . . . . . . . . y₁\y₂ = z₁ y₂\y₃ = z₂ . . . . . . x₁\x₂ = y₁ x₂\x₃ = y₂ x₃\x₄ = y₃ . . . C_(i)\C_(i+1) = x₁ C_(i+1)\C_(i+2) = x₂ C_(i+2)\C_(i+3) = x₃ c_(i+3)\c_(i+4) = x₄ C_(i) C_(i+1) C_(i+2) C_(i+3) C_(i+4)

Then at first x₁, x₂, . . . after that y₁, y₂, . . . and finally z₁, z₂, . . . can be computed. Hence the values z₁, z₂, z₃, . . . are uniquely determined by the substrings of the ciphertext c_(i)c_(i+1)c_(i+2)c_(i+3), c_(i+1)c_(i+2)c_(i+3)c_(i+4), c_(i+2)c_(i+3)c_(i+4)c_(i+5), . . . . This implies that the distribution of the substrings of length n+1=3+1=4 in C is equal to the distribution of letters in the string B=B₀B₁B₂, . . . where

$B_{i} = {{M_{i}/K_{i + {{\lbrack\frac{n}{2}\rbrack}{mod}\; {n.}}}}\mspace{14mu} {and}}$

from that some knowledge of the distribution of the plaintext M can be distilled. So, the adversary has to produce a dictionary of n+1-tuples of the ciphertext letters. The dictionary in case n=3 will consist of 32⁴=2²⁰ words and can be put in memory. Since we took n≧32, the dictionary for EdonY will need at least 32³³=2¹⁶⁵ words and it cannot be realized by the law of physics. Thus we proved the following theorem.

Theorem 6 The dictionary kind of statistical attack on EdonY is computationally infeasible.

Next we will prove that chosen plaintext/ciphertext attack on EdonY is computationally infeasible as well. Let assume that the adversary can produce an arbitrary pair (M,C)=((M₀M₁ . . . ), (C₀C₁ . . . )) of plaintext/ciphertext strings. Then she/he can extract information from the following table, where we took n=4 for reason of simplicity.

M₀ M₁ M₂ M₃ M₄ M₅ . . . M₀/K₂ M₁/K₃ M₂/K₀ M₃/K₁ M₄/K₂ M₅/K₃ . . . K₀ z₀ z₁ z₂ z₃ z₄ z₅ . . . K₁ y₀ y₁ y₂ y₃ y₄ y₅ . . . K₂ x₀ x₁ x₂ x₃ x₄ x₅ . . . K₃ C₀ C₁ C₂ C₃ C₄ C₅ . . .

The variables K_(i), x_(i), y_(i), z_(i) are unknown and we can infer the following system of quasigroup equations, where the operation “.” on Q={0, 1, 2, . . . , 31} is unknown:

K _(o)(M ₀ /K ₂)=z ₀ , z ₀·(M ₁ /K ₃)=z ₁ , z ₁·(M ₂ /K ₀)=z ₂, . . .

K ₁ ·z ₀ =y ₀ , y ₀ ·z ₁ =y ₁ , y ₁ ·z ₂ =y ₂ , . . .

K ₂ ·y ₀ =x ₀ , x ₀ ·y ₁ =x ₁ , x ₁ ·y ₂ =x ₂, . . .

K ₃ ·x ₀=C₀, C₀ ·x ₁ =C ₁ , C ₁ ˜x ₂ =C ₂, . . .

The information that can be inferred from the equations C₀·x₁=C₁, C₁·x₂=C₂, C₂·x₃=C₃, C₃·x₄=C₄, . . . of the above system is the following. Since the plaintext M can be chosen arbitrary, the ciphertext C will contain as substrings all possible 32² pairs ab, where (a,b)εQ². From the equation C_(i)·x_(i+1)=C_(i+1) we know that the element C_(i+1) is positioned in the multiplication table of the quasigroup (Q,•) in the C_(i)-th row and the x_(i+1)-th column. In other words, if the multiplication in (Q,•) is denoted by i·j=q_(i,j), then qc_(i,x) _(i+1) =C_(i+1). It follows that we have complete information for the columns of the multiplication table of (Q,•). For example, we do not know the value of x₁, but we know the values of q_(0,x) ₁ =0·x₁,q_(1.) _(x1) =1·x₁,q_(2.) _(x1) =2·x₁, . . . q_(31.) _(x1) =31·x₁. In such a way, we can extract 32 different variables x_(i0), . . . , x_(i31) with completed columns in the multiplication table of (Q,•). Let us take for simplicity i_(j)=j, and we have the following multiplication table of (Q,•):

$\quad\begin{matrix}  \cdot & x_{0} & x_{1} & x_{2} & \ldots & x_{31} \\ 0 & q_{0,x_{0}} & q_{0,x_{1}} & q_{0,x_{2}} & \ldots & q_{0,x_{31}} \\ 1 & q_{1,x_{0}} & q_{1,x_{1}} & q_{1,x_{2}} & \ldots & q_{1,x_{31}} \\ 2 & q_{2,x_{0}} & q_{2,x_{1}} & q_{2,x_{2}} & \ldots & q_{2,x_{31}} \\ \vdots & \vdots & \vdots & \vdots & \ldots & \vdots \\ 31 & q_{31,x_{0}} & q_{31,x_{1}} & q_{31,x_{2}} & \ldots & q_{31,x_{31}} \end{matrix}$

Since x_(i) are unknown, the original multiplication table of (Q,*) is a permutation of the columns of the multiplication table of (Q,•) Let us assign values of the unknowns x₀, x₁, . . . , x₃1. Then, from the equations system above we can compute step by step the uniquely determined values of the unknowns K₃=c₀/x₀, y₁=x₀\x₁, y₂=x₁\x₂, y₃=x₂\y₃, . . . , z₂=y₁\y₂, z₃=y₂\y₃, z₄=y₃\y₄, . . . . Now the values of the key can be computed by K₁=M₃/(z₂\z₃), K₂=M₄(z₃\z₄), K₃=M₅/(z₄\z₅), K₀=M₆/(z₅\z₆), K₁=M₇/(z₆\z₇) Since there are finitely many variables K_(i) (in this simplified version we have only 4, but in a preferred application of EdonY there are n≧32), the adversary has an opportunity to check if the assigned values of x₀, x₁, . . . , x₃₁ are correct. Namely, if they are correct, then the equalities M₃/(z₂\z₃)=M₇)/(z₆\z₇)(=K₁), M₄/(z₃\z₄)=M₈)/(z₇\z₈)(=K₂), . . . should be satisfied. If they are not satisfied, the adversary should give another assignment to the unknowns x₀, x₁, . . . , x₃₁ and to check again if they are correct, and so on. Since there are 32!≈2¹¹⁷ different possible assignments, we have the following theorem:

Theorem 7 Under chosen plaintext/ciphertext attach it is computationally infeasible for the quasigroup operation * or the key of Edon Y to be recovered.

As shown above, EdonY is a self synchronized stream cipher characterized by its flexibility and mathematical provability of many of its component. The self synchronization of EdonY is a consequence of Theorem 4. By this theorem, if we have a key length n than an error in the ciphertext will produce n+1 consecutive errors of the plaintext during the decryption process. The encryption and the decryption algorithms of EdonY are quite simple and of linear complexity, hence EdonY can be used for secure online communication (and it can be parallelized in an obvious way for obtaining faster communication if needed).

An exemplary construction of EdonY uses a 5-bits letters alphabet, but it should be apparent how the encryption and decryption algorithms can be redesigned for m-bits letters alphabet. The flexibility of the design and the possibilities of choice of the wanted length of the key are very important properties of EdonY. Thus, EdonY can be used in designing threshold security as well. Let's consider a trivial example when the key is shared between 3 persons A, B and C, a person alone does not have the complete key, and only any two of them have the complete key. Then we take a secret initial key K=K₀∥ . . . ∥K₁₉₁ of length 192 and we distribute it in this way: Person A obtains the part K=K₀∥ . . . ∥K₁₂₇, person B the part K=K₆₄∥ . . . ∥k₁₉₁, and the person C the part K=K₀∥ . . . ∥k₆₃∥K₁₂₇∥ . . . ∥K₁₉₁. Each person does not know 64 5-bits letters K_(i) of the secret key and there are 32⁶⁴=2³²⁰ possible variation for completion of the secret key. Suitable secure designs for s out of p threshold system can be defined as well.

The preferred design of EdonY allows its hardware implementation in embedded system with small amount of memory, i.e. less then 2 Kb memory, since quasigroup of order 32 can be stored in 1 Kb.

We note that additional security of EdonY can be obtained if the initial quasigroup of order 32 is secret too, since the number of such quasigroups is much larger than 2¹⁰⁰⁰.

In another aspect of the present invention we introduce a notion of a new type of stream cipher: Totally Asynchronous Stream Cipher (TASC), and demonstrate several benefits for these ciphers. As described above, stream ciphers are divided by their way of acting upon a received error in communication between two parties that use that stream cipher. If the decrypted stream doesn't suffer from an error occurred during the transmission (except the error on the actual erroneous byte or block of bytes) then we speak about synchronous stream cipher. On the other hand, if the error affects the decrypted stream we speak about asynchronous stream cipher. However, all asynchronous ciphers defined in the literature have the property that they are self-synchronous. Namely, after several transmitted blocks that will be decrypted erroneously, the correct decryption of the stream is established again. From the point of view of ensuring the correct stream of data to start to flow again, self-synchronization is a very useful property. However, both synchronous and self-synchronizing stream ciphers suffer from possible attacks of altering the data by the adversary which monitors the line of communication (suffers by so-called dynamic attacks). Thus, additional mechanisms for ensuring the data integrity may need to be used, when using cryptographic primitives such as stream cipher (synchronous or self-synchronizing).

General properties of the synchronous cipher EdonX can be used to provide a cipher that cannot recover from an error introduced in the process of communication, but still having the important properties that its secure provability is guaranteed by the same mathematical theorems applied for the synchronous version. Although the property of being totally asynchronous stream cipher can be seen as a disadvantageous one, there are in fact several useful applications of such ciphers: provable secure stream cipher that can guarantee data integrity authentication and error correction.

A Synchronous stream cipher has been defined above as one in which the keystream is generated independently of the plaintext message and of the ciphertext. A self-synchronizing or asynchronous stream cipher, on the other hand, is one in which the keystream is generated as a function of the key and a fixed number of previous ciphertext digits.

The encryption function of a self-synchronizing stream cipher can be described by the equations.

σ_(i)=(c _(i−t) , c _(i−t+1) , . . . , c _(i−1)), z _(i) =g(σ_(i) ,k), c _(i) =h(z _(i) , m ₁)

where σ₀=(c_(i−t), c_(i−t+1), . . . , c⁻¹) is the (non-secret) initial state, k is the key, g is the function which produces the keystream z_(i), and h is the output function which combines the key stream and plaintext m_(i) to produce ciphertext c_(i).

By contrast, a Totally Asynchronous Stream Cipher is defined as one in which the keystream is generated as a function of the intermediate key and a fixed number of previous plaintext digits.

The encryption function of a totally asynchronous stream cipher can be described by the equations:

k _(i+1)=ƒ(k _(i) ,m ₁),c _(i) =h(k _(i) ,m _(i))

where k₀ is the initial secret state of the key, f is the key next-state function, and h is the output function which nonlinearily combines the key and plaintext m_(i) to produce ciphertext c_(i).

The decryption function of a totally asynchronous stream cipher can be described by the equations:

k _(i+1)=ƒ⁻¹(k _(i) ,c _(i)),m _(i) =h ⁻¹(k _(i) ,c _(i))

So, from the definition it is clear that self-synchronizing and totally asynchronous stream cipher differ in a way how the keystream is generated. While for self-synchronizing stream ciphers keystream depends on a fixed number of previous ciphertext digits, the totally asynchronous stream cipher depends on a fixed number of previous plaintext digits. Here, a crucial question can be posed: what if the source of plaintext is with poor characteristics from randomness point of view? What if the stream of plaintext has very low entropy (in extreme situation the entropy to be 0). If the definition of totally asynchronous stream cipher is applied to the classical well-known stream ciphers using shift register techniques, and S-boxes, the result of such a totally asynchronous stream cipher would be a totally poor stream cipher that generates a keystream with short and predictable period. Thus, the main problem for designing a high qualitative totally asynchronous stream cipher is to design the stream cipher which keystream depends from a fixed number of previous plaintext digits, but still doesn't fall into short periodic circle, and doesn't produce keystream with poor randomness characteristics, even when the source of plaintext digits is with entropy 0. Below we illustrate a Totally Asynchronous Stream Cipher.

We give an exemplary possible implementation of a Totally Asynchronous Stream Cipher using Quasigroup String Transformations.

Given the definitions of a quasigroup and a Latin square provided above, and given the relation of isotopism and autopism provided above, it can be shown that any permutation on columns and rows of the Latin square L can be summarized in the following Lemma:

Lemma: Any permutation of rows and columns of a Latin square L_(n×n) which is associated with quasigroup (Q,*), results in new Latin square L′_(n×n) which associated quasigroup Q,*′ is autotopic to the original quasigroup (Q,*).

As a direct consequence of this Lemma we have that for each quasigroup (Q,*) of order n there are up to (n!)²−1 different autotopic quasigroups to (Q,*).

Given a quasigroup (Q,*) five new operations *⁻¹, ⁻¹*, (*⁻¹), (⁻¹*)⁻¹, *′ on the set Q can be derived by:

*⁻¹(x,y)=z

x*z=y

⁻¹*(x,y)=z

z*y=x

⁻¹(*⁻¹)(x,y)=z

* ⁻¹(z,y)=x

z *x=y

(⁻¹*)⁻¹(x,y)=z

⁻¹*(x,z)=y

y*z=x

*^(*)(x,y)=z

y*x=z

The set Par(*)={*, *⁻¹, ⁻¹*, ⁻¹(*⁻¹), (⁻¹*)⁻¹, *^(*)} is said to be the set of parastrophes of *. Then, for each gεPar(*), (Q,g) is a quasigroup too and Par(*)=Par(g). Usually, for multiplicatively denoted quasigroup (Q,*), instead of *⁻¹, ⁻¹* one writes \, / respectively, and calls them left and right parastrophes, as described above. Then

x*y=z

y=x\z

x=z/y

Then the algebra (Q, *, \, /) satisfies the identities

x\(x*y)=y,(x*y)/y=x,x*(x\y)=y,(x/y)*y=x

The methods of quasigroup string transformations are described above.

As with EdonX, EdonZ preferably operates on nibbles, i.e., on 4-bit variables. That is because it preferably uses a quasigroup (Q,*) of order 16 for doing quasigroup string transformations on the streams of data. So, the values of the corresponding Latin square are represented by 4 bits. The same is for the values of the key K. It is stored in n=64 internal variables K_(i), i.e. K=K₀K₁ . . . K_(n−1) The variables K_(i) also have values in the range {0, 1, . . . , 15}.

EdonZ uses the initial value of the K_(in) for the initialization phase. By the information stored in the K_(in), EdonZ makes transformations on the initial quasigroup (Q,*), and also transforms the values of K_(in). The values of K will change also as processing of the stream will be performed. EdonZ uses also two temporal 4-bit variables T, and X. EdonZ differs from synchronous EdonX in the way how the initial value of the variables X and T are set and how the final computation of X is done. However, in the decrypting phase EdonX doesn't use the left parastrophe of the Q(*)since it is binary additive stream cipher, but EdonZ needs Qpar(*). A table illustrating a preferred operation of EdonZ is shown below.

TABLE 1 Totaly Asynchronous Stream Cipher Phase 1. Initialization From the initial key K_(in) of length n obtain the new working key K of length 64 and new quasigroup (Q, *) ← Autotope((Q, *)). Encryption. Decryption. Input: Key k₀ of Input: Key k₀ of length n and message M. length n and message C. Output: Message C. Output: Message M. 1) X ← InputNibble; 1) X,T ← InputNibble; 2) T ← 0; 2) temp ← K_(n−1); 3) For i = 0 to n − 1 do 3) For i = n − 1 downto 0 do   X ← Q[K_(i), X];   X ← Qpar[temp, X];   T ← T ⊕ X;   T ← T ⊕ X;   K_(i) ← X;   temp ← K_(i−1); 4) K_(n−1) ← T;   K_(i−1) ← T; 5) Output X; 4) K_(n−1) ← T; 6) Go to 1; 5) Output X; 6) Go to 1;

The operation ⊕ is the operation of exclusive or (XOR) on 4-bit variables.

A very important phase of the EdonZ algorithm is the Initialization phase. It preferably is the same as in EdonX and incorporates already known techniques in cryptographic algorithms such as padding a message, expanding a message and transforming the expanded message. In this situation the message is the secretly shared initial key K_(in). The information from the expanded and transformed key then is used to transform the initially given quasigroup as well as to set the initial values for 64 nibbles (256 bits) of the working key K.

At the end of the initialization phase, we obtain two working structures that are not known to the adversary. Namely, a first unknown structure is the working quasigroup (Q,*) that is an autotope of the original quasigroup Q(•) and it is one of about (16!)³≈2¹³² autotopes, and a second unknown structure is the working key K of length 4m bits (m nibbles) that replaces original initial secret key K_(in).

Another very significant property of EdonZ as a TASC can be stated with the following theorem:

Theorem 8 Let M=M₁M₂ . . . M_(μ) be a representation of M into sub-blocks M_(i) where M₁=m₁ . . . m_(i), M₂=m_(i) ₁ ₊₁ . . . m_(i) ₂ and so on and let (K_(i),C_(i))=T(K_(i−1),M_(i)), where K₀=k₀ is the initial key. Then, for any representation of M into sub-blocks, the resulting cipher text C=c₁c₂ . . . c₁=C₁C₂ . . . C_(μ) is the same.

The proof is straightforward by induction on the length of the message M.

The above theorem ensures that even though EdonZ is a stream cipher, we can process the input plaintext in smaller parts (blocks) and whatever representation of M on blocks we choose before encryption, the final cipher text will be the same. So blocks can be of one letter, of 4 letters or even of 100 letters, and the resulting cipher text will be the same.

Next, we will describe an example that will work on the principles of EdonZ, but for the simplicity of the explanation, instead of using preferred 16×16 quasigroups, we will continue to use the quasigroups of order 4. Moreover, instead of using an expanded key of the length 512, we will shorten it to the length of 16. The initial key can have the length from 1 to 15 thus it will be represented by two concatenated 2-bit letters from the range {0, 1, 2, 3}, and the working key will be of the length 4.

Let us suppose that the initial quasigroup Q(*) is the same as the one given in EdonX Example 1 above, i.e. the quasigroup Q(*) is:

Q(*) 0 1 2 3 0 2 1 0 3 1 3 0 1 2 2 1 2 3 0 3 0 3 2 1

Further let us set the initial value of the K_(in)=1 3 1. Since the length of K_(in) is 3, and since representation of the number 3 with two 2-bit letters is 03, we will pad K_(in) and obtain K_(in)=1 3 1 0 3. Then by concatenating K_(in) several times we will obtain K_(ex) of length 16 i.e. K_(ex)=1 3 1 0 3 1 3 1 0 3 1 3 1 0 3 1. Then by transforming the expanded key with e_(l*) transformations where leaders l will be cyclically taken to be the values of padded K_(in) we will obtain the final value of K_(ex). In the following table we summarize those transformations.

K_(ex) Leader 1 3 1 0 3 1 3 1 0 3 1 3 1 0 3 1 1 0 3 3 0 3 3 1 0 2 0 1 2 2 1 2 2 RotateLeft 3 3 0 3 3 1 0 2 0 1 2 2 1 2 2 0 3 1 2 1 2 0 1 3 2 1 0 0 0 1 1 1 3 RotateLeft 2 1 2 0 1 3 2 1 0 0 0 1 1 1 3 1 . . . RotateLeft 0 1 2 3 3 1 1 0 2 1 3 1 0 3 2 2 1 3 3 2 0 3 3 3 0 0 1 2 2 1 2 3 2 RotateLeft 3 2 0 3 3 3 0 0 1 3 2 1 2 3 2 3

With the last values of K_(ex) we will start iteratively to swap the rows and columns of the initial quasigroup Q(*) to obtain its autotope. So, first we will swap the rows 3 and 2, then the columns 0 and 3, then again rows 3 and 3 (no swapping in this situation), and so on. The final result of all those swappings will give us the quasigroup Q(*) shown below (by which we can compute also its left parastrophe Qpar(*)).

Q (*) 0 1 2 3 Qpar(*) 0 1 2 3 0 3 0 2 1 0 1 3 2 0 1 1 2 0 3 1 2 0 1 3 2 0 3 1 2 2 0 2 3 1 3 2 1 3 0 3 3 1 0 2

The working key K will take the last 4 letters of K_(ex) and be K=2 3 2 3. Now, let us encode some plaintext stream. Let the plaintext message be M={0,0,1,0,9,3,0,0, 1,2,0,0, 1,0,0,2,0,0,0,3}. Steps of EdonZ encryption are shown in the following table.

M₀ M₁ M₂ M₃ K X T K X T K X T K X T . . . l 0 0 0 0 1 0 0 0 . . . 0 2 0 0 0 3 3 3 3 1 1 1 1 1 1 3 3 3 2 3 1 2 3 2 3 1 0 2 2 1 3 1 0 1 0 1 2 1 3 2 3 3 1 0 2 0 1 1 2 1 1 0 2 Output 1 0 2 0 C − X

The initial value of X=X₀ is the value of the input stream nibble, and the initial value of T is always 0. The final value of X=X₃ is in fact the output nibble. Notice that we have the same situation for processing the new values of the key K Namely it is always K=K₀K₁K₂K₃=X₀X₁X₂T₃ where T₃=X₀⊕X₁⊕X₂⊕X₃.

Next, the security of EdonZ will be analyzed. We will assume that the adversary will have the knowledge of one or more (plaintext, ciphertext) pairs. Further, we will also assume that the initial value of the key K_(in) as well as the internal states of the cipher: working key K, working quasigroups Q(*) and Qpar(*) and values of X and T are not known to the adversary and that s(he) can not access them physically. We will consider that the adversary have broken EdonY if by knowing only the pairs of (plain text, ciphertext) s(he) will be in a position to successfully reconstruct some part of the working key K.

In the first part of the analysis we will show that without the knowledge of the initial key K_(in) there is no efficient way of knowing the initial value of the working key K and the working quasigroup Q(*). Then we will further analyze the EdonX in synchronous mode and in totally asynchronous mode.

For the security of initialization phase, since it preferably is the same as in EdonX, we can say that the initialization phase of EdonZ is cryptographically secure. As to the security of EdonZ in totally asynchronous mode, we will assume that the working quasigroup Q(*) is not known to the adversary (unless s(he)) makes an exhaustive search in the whole set of the autotopes of the originally given quasigroup Q(*) and that search is of order 2¹³². Also, we will assume that the adversary doesn't know the initial value of the working key K which is of length 64 nibbles i.e. 256 bits.

To prove that EdonZ is secure against chosen plaintext attack, let us assume that the adversary knows one (of many) pair of (plaintext, ciphertext (M,C)=((M₀M₁ . . . ), (C₀C₁ . . . )). We will use the same notification as in the case of synchronous stream cipher, for the i-th generation of the nibbles in K and X: K_(i,j) and X_(i,j) respectively.

For the first pair of nibbles (M₀,C₀) the adversary can obtain the following system of quasigroup equations:

K _(0,0) * M ₀ =X _(0,0)

K _(0,1) * X _(0,0) =X _(0,1)

K _(0,2) * X _(0,1) =X _(0,2)  (4)

K _(0,62) * X _(0,61) =X _(0,62)

K _(0,63) * X _(0,63) =X _(0,63)

X _(0,63) =C ₀

Knowing the value of C₀=X_(0,63) the adversary can try to solve the equation K_(0,63)*X_(0,62)=X_(0,63). That equation has two unknown variables: K_(0,63) and X_(0,62). Since the quasigroup operation * is also unknown, the adversary can guess any of all 256 possible solutions. Setting those values as a guess, s(he) can continue upwards, seeking to find a solution for K_(0,62)*X_(0,61)=X_(0,62) which can have also any of 256 possible solutions, and so on. Finally the adversary will reach the first equation K_(0,0)* M₀=X_(0,0) by which s(he) will find the value of K_(0,0).

Here we have again a situation when the adversary has no other mechanism to know if s(he) made a good guess for the values of the key K and the quasigroup operations Q(*) unless s(he) runs through all equations (except the first one) which again gives the total number of guesses to be 2²⁵²×2¹³²=2³⁸⁴.

It is contemplated that a usage for EdonZ would be in implementing security protocols for checking integrity of the received data through a public channel of communication, without using two types of cryptographic algorithms: Stream Cipher and Message Authentication Codes (or Secure Hash Functions). The concept of TASC has the both properties. EdonZ, as a Quasigroup stream cipher along with EdonX and EdonY, also has the following properties:

Flexibility: A closer look on EdonZ initialization phase will show that instead of using maximum 64 nibbles of initial key it is straightforward to enlarge that number to 128, 1024, 2048 or any other number of nibbles. The importance of this fact is that EdonZ can satisfy different security criteria, from an average one to extreme one; thus, a very suspicious user can use a secret key of 1K (or 1M) of nibbles, i.e. 4K (or 4M) of bits without any need for redesigning of the algorithm. For higher security longer initial secret key should be chosen, but the number of computations depends linearly of the length of the key.

Additional security: The security of the system becomes much stronger if we suppose that the initial quasigroup and the length of the initial key are secret too. Thus, if the initial quasigroup is secret, instead of about (16!)³≈2¹³² autotopisms, the adversary has to consider all quasigroup operations of order 16, and the number of these is not known, but is larger than 10¹²⁰≈2⁴⁰⁰.

As with EdonX, the preferred design of EdonZ operates on 4-bit registers and uses two fixed lookup tables that are quasigroups of order 16 that can be stored in only 256 bytes. Together with the internal memory and the execution code of the algorithms, EdonZ can be implemented in less then 1 Kb. Thus, EdonZ is suitable for hardware implementation as embedded system in chip cards with extremely small amount of memory, i.e. less then 1 KB memory.

Another potential usage of EdonZ or similar TASC stream ciphers is in the field of error correction algorithms. An exemplary Error Correction Algorithm, preferably using a TASC such as EdonZ will now be discussed. This method is a core method for generating random codes that can be decoded relatively quickly even if a significant portion of the received data is corrupted by errors. We show that there exists a class of codes, generated by quasigroup string transformations, which are almost random and are efficiently decodable. The initial numerical experiments indicate that these codes may significantly outperform Turbo and LDPC codes. For example, for SNR=0.0 dB, rate ½ and block length of only 288 bits, these codes give BER=1.7×10⁻⁵ , and for SNR=−0.5 dB, rate ¼ and block length of only 864 bits produce BER=4.1×10⁻⁵.

The non-constructive proof of the noisy-channel coding theorem shows that good block codes exist for any noisy channel, and moreover that nearly all block codes are good. However, writing down an explicit and practical encoder and decoder that are as good as proved by Shannon in his seminal work A Mathematical Theory of Communication is still an unsolved problem.

Recently, it has been recognized that two classes of codes, namely turbo codes and low-density parity-check (LDPC) codes, perform at rates extremely close to the Shannon limit. Turbo and LDPC codes are based on a similar philosophy: constrained random code ensembles, described by some fixed parameters plus randomness, decoded using iterative algorithms or message passing decoders.

Additional aspects of the present invention provide a class of error correcting codes with the following two properties: first, for an arbitrary codeword C, the distribution of substrings of C of length r is uniform, and second, the coding is iterative, which means that it is compositions of mappings defined on strings with small lengths. The first property ensures that our codes are almost random. Of course, decoding of random codes is an NP-complete problem. However, the second property ensures that our codes can be efficiently decoded. An instance of such codes implemented with quasigroup string transformations is described in detail. Our preliminary numerical simulations show that proposed codes outperform significantly corresponding turbo and LDPC codes.

To describe the preferred code, consider that a source of information produces a stream of symbols. The stream is partitioned into blocks of length N_(block). Each of the possible 2 2^(N) ^(block) blocks is mapped to a codeword (i.e., a sequence of bits) of length N>N_(block) by the encoder and transmitted through the channel. Therefore, an error correcting code is defined as a mapping T: {0,1}^(N) ^(block) →{0,1}^(N).

The code T according to embodiments of the present invention is defined as follows. Let M be a block of N_(block) bits. First, we add zero bits and produce a block L of length N. Second, we rewrite L as L=L₁L₂ . . . L_(p), where each L_(i) is a block of s bits (we assume that N=sp). Third, the block L is mapped with a bijection to a block C=C₁C₂ . . . C_(p) in the following way.

Let k_(1,1), k_(1, 2), . . . , k_(1,n) be n initial strings each of length s. The block L is mapped to C as

$\begin{matrix} \left. \begin{matrix} {{{For}{\mspace{14mu} \mspace{11mu}}i} =} & {1,2,{\ldots p}} \\ \; & {b_{i,0} = L_{i}} \\ {{{For}\mspace{14mu} j} =} & {1,2,{\ldots n}} \\ \; & {b_{i,j} = {f\left( {k_{i,j,}b_{i,{j - 1}}} \right)}} \\ \; & {k_{{i = 1},j} = {g\left( {k_{i,j,}b_{i,{j - 1}}} \right)}} \\ {{End}\mspace{14mu} j} & \; \\ \; & {C_{i} = b_{i,n}} \\ {{End}\mspace{14mu} i} & \; \end{matrix} \right\} & (1) \end{matrix}$

where f and g are appropriate operations. Note that (1) defines uniquely our code T.

If we write k^((i))=k_(i,1), k_(i,2) . . . k_(i,n), i=1, 2, . . . p+1, then equation (1) defines also the following two maps. First, a map F: A^(n)×A^(p)→A^(n)×A^(p) such that (k^((p+1)), C)=F(k⁽¹⁾, L), where A={0, 1}¹ is a set of all strings with length 1. Second, a map G₁: A^(n)×A¹→A^(n)×A¹ such that (k^((i+1)),C_(i))=G₁(k^((i)),L_(i)) for each i=1, 2, . . . , p. For this reason we say that our code is iterative in two ways: (i) for each L_(i), f is iterated n times to produce C_(i); and (ii) k⁽¹⁾ is iterated p times to give k^((p+1)).

In the following instead of G₁ we will work with the map G₄≡G. For simplicity only let assume that p=4r. Then equation (1) can be rewritten as

$\begin{matrix} \left. \begin{matrix} {{{For}\mspace{14mu} l} =} & {1,2,{\ldots r}} \\ \; & {L^{(l)} = {L_{{4l} - 3}L_{{4l} - 2}L_{{4l} - 1}L_{4l}}} \\ {{{For}\mspace{14mu} i} =} & {{{4l} - 3},{{4l} - 2},{{4l} - 1},{4l}} \\ \; & {b_{i,0} = L_{i}} \\ {{{For}\mspace{14mu} j} =} & {1,2,{\ldots n}} \\ \; & {b_{i,j} = {f\left( {k_{i,j,}b_{i,{j - 1}}} \right)}} \\ \; & {k_{{i + 1},j} = {g\left( {k_{i,j,}b_{i,{j - 1}}} \right)}} \\ {{End}\mspace{14mu} j} & \; \\ \; & {C_{i} = b_{i,n}} \\ {{End}\mspace{14mu} i} & \; \\ \; & {{C(l)} = {C_{{4l} - 3}C_{{4l} - 2}C_{{4l} - 1}C_{4l}}} \\ {{End}\mspace{14mu} {l.}} & \; \end{matrix} \right\} & (2) \end{matrix}$

Equation (2) defines a map G: A^(n)×A⁴→A^(n)×A⁴ such that k^((4l+1)),C^((l))=G(k^((4l−3)),L^((l))), for l=1, 2, . . . , r.

In addition, our code has the following property: the code is almost random, which means that for every Mε{0,1}^(N) ^(block) , the distribution of substrings of C=T(M)ε{0,1}^(N) of length k,1≦k≦n, when N is large enough, is uniform.

Quasigroup operations and quasigroup string transformations are performed similarly to that for EdonX, EdonY, and EdonZ, for example.

Consider an alphabet (i.e. a finite set) A, and denote by A⁺ the set of all nonempty words (i.e. finite strings) formed by the elements of A. The elements of A⁺ will be denoted by a₁a₂ . . . a_(n) rather than (a₁, a₂, . . . , a_(n)), where a₁εA. Let * be a quasigroup operation on the set A. For each lεA we define a function e_(l,*): A⁺→A⁺ as follows. Let a_(i)εA, α=a₁a₂ . . . a_(n). Then

e _(l,*)(α)=b ₁ . . . b _(n)

b _(i+1) =b _(i) *a _(i+1)  (3)

for each i=0, 1, . . . , n−1, where b₀=I. The function e_(l,*) is called an e-transformation of A+ based on the operation * with leader I.

Several quasigroup operations can be defined on the set A and let *₁, *₂, . . . , *k be a sequence of (not necessarily distinct) such operations. We also choose also leaders l₁, l₂, . . . , l_(k)εA (not necessarily distinct either), and then the composition of mappings

E _(k) =e _(l) _(1,*1) ^(o) e _(l) _(2,*2) ^(o . . . o) e _(l) _(k,*k)

is said to be an E-transformation of A⁺. The function E_(k) which is actually a permutation, have many interesting properties. A very significant one is the following:

Theorem 9: Consider an arbitrary string α=a₁a₂ . . . a_(n)εA⁺, where a_(i)εA, and let β=E_(k)(α). If n is large enough integer then, for each l: 1≦l≦k, the distribution of substrings of β of length l is uniform. (For l>k the distribution of substrings of β of length l may not be uniform).

The coding has two general parts. In the example provided herein, we now describe a design of a ½ rate code only; the generalization to different coding rates is straightforward. Suppose that the message to be sent has the form M=m₁ m₂ . . . m₁₈, where m_(i) are nibbles (4-bit letters). In the first part, we add redundant information and obtain L=L⁽¹⁾ L⁽²⁾ L⁽³⁾L⁽⁴⁾ L⁽⁵⁾ L⁽⁶⁾ L⁽⁷⁾ L⁽⁸⁾ L⁽⁹⁾, where L⁽¹⁾=m₁m₂m₃0₄, L⁽²⁾=m₄m₅m₆0₄, L⁽³⁾=m₇m₈m₉0₄, L⁽⁴⁾=0₄0₄0₄0₄, L⁽⁵⁾=m₁₀m₁₁m₁₂0₄, L⁽⁶⁾=m₁₃m₁₄m₁₅0₄, L⁽⁷⁾=m₁₆m₁₇m₁₈0₄, L⁽⁸⁾=0₄0₄0₄0₄, L⁽⁹⁾=0₄0₄0₄0₄ where 0₄ is the string of 4 zeros (zero nibble). Therefore, each L^((i)) is a string of 16 bits. Since we add 18 zero nibbles, the rate of the code is ½. This is schematically shown on the following table.

TABLE I CODES WITH RATES ½ AND ¼ Rate ½ Rate ¼ m₁ m₂ m₃ 0 m₁ m₂ 0 0 _(m) ₄ m₅ m₆ 0 m₃ m₄ 0 0 _(m) ₇ m₈ m₉ 0 m₅ 0 0 0 0 0 0 0 0 0 0 0 m₁₀ m₁₁ m₁₂ 0 m₆ m₇ 0 0 m₁₃ m₁₄ m₁₅ 0 m₈ 0 0 0 m₁₆ m₁₇ m₁₈ 0 m₉ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

TABLE II A QUASIGROUP OF ORDER 16 THAT WE USED IN OUR EXPERIMENTS * 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 3 c 2 5 f 7 6 1 0 b d e 8 4 9 a 1 0 3 9 d 8 1 7 b 6 5 2 a c f e 4 2 1 0 c c 4 5 f 9 d 3 6 7 a 8 b 2 3 6 b f 1 9 4 e a 3 7 8 0 2 c d 5 4 4 5 0 7 6 b 9 3 f 2 a 8 d c c 1 5 f a 1 0 e 2 4 c 7 d 3 b 5 9 8 6 6 2 f a 3 c 8 d 0 b e 9 4 6 1 5 7 7 e 9 c a 1 d 8 6 5 f b 2 4 0 7 3 8 c 7 6 2 a f b 5 1 0 4 9 e d 3 8 9 b e 4 9 d 3 1 f 8 c 5 6 7 a 2 0 a 9 4 d 8 0 6 5 7 e 1 f 3 b 2 a c b 7 8 5 c 2 a 3 4 c 6 0 d f b 1 9 c 5 2 b 6 7 9 0 c a 8 c f 1 3 4 d d a 6 8 4 3 e c d 2 9 1 5 0 7 f b e d 1 3 f b 0 2 8 4 a 7 c 9 5 6 e f 8 d 7 b 5 c a 2 9 4 e 1 3 6 0 f

In this table we also show rate ¼ code. For this ½ code we also say that it is (72,144) code (the length of M is 72, the length of L is 144).

In the second part of the coding we choose f to be the quasigroup operation defined in Table II and g to be

k _(i+1,j) =b _(i,j) if j=1, . . . n−1

k _(i+1,n) =b _(i,1) ⊕ . . . ⊕b _(i,n)

In the numerical experiments presented here we use the code (144,288). This was done in the following way. Let L be rewritten as a concatenation of two sub-patterns L=L₁0₄ where L₁=L⁽¹⁾ L⁽²⁾ . . . L⁽⁸⁾. Then the code (144,288) can be described as L=L₁L₂0₄0₄, where L₂=L⁽⁹⁾ L⁽¹⁰⁾ . . . L⁽¹⁶⁾.

We will present an example that works with blocks of 288 bits, and have a rate ¼. TASC algorithm that we used in the phase of encoding and decoding is shown in the following table.

TABLE III TOTALY ASYNCHRONOUS STREAM CIPHER Encryption. T(k, M) = (k_(c), C) Decryption. T⁻¹(k, C) = (k_(c), M) Input: Key k of Input: Key k of length n and message M. length n and message C. Output: Message C. Output: Message M. 1) X ← InputNible; 1) X,T ← InputNible; 2) T ← 0; 2) temp ← K_(n−1); 3) For i = 0 to n − 1 do 3) For i = n − 1 downto 0 do   X ← Q[K_(i), X];   X ← Qpar[temp, X];   T ← T ⊕ X;   T ← T ⊕ X;   K_(i) ← X;   temp ← K_(i−1); 4) K_(n−1) ← T;   K_(i−1) ← X; 5) Output X; 4) K_(n−1) ← T; 6) Go to 1; 5) Output X; 6) Go to 1;

In the above algorithm the notation Q[K_(i), X] means a quasigroup operation K_(i)*X and the operation ⊕ is the operation of eXclusive OR. The notation Qpar[temp, X] means that we use left parastrophic quasigroup operation for the quasigroup Q(*).

The transmitted code word is C. Due to the noise, a different sequence of symbols D=d₁d₂ . . . d₃₆, where d_(i) is a nibble, is received. The decoding problem is to infer L, given D, the definition of the code, and the properties of the noisy channel. We assume that the channel is a binary symmetric channel. Let H(h₁,h₂) be a function that returns the Hamming distance between two strings h₁ and h₂ of the same length (in bits).

TABLE IV THE LEFT PARASTROPHE Qpar(\) OF THE QUASIGROUP Q(*) THAT WE USED IN OUR EXPERIMENTS \ 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 8 7 2 0 d 3 6 5 c c f 9 1 a b 4 1 0 5 a 1 f 9 8 6 4 2 b 7 c 3 c d 2 1 0 f 9 4 5 a b d 7 c e 3 8 2 6 3 b 3 c 8 5 f 0 9 a 4 7 1 d c 6 2 4 2 f 9 7 0 1 4 3 b 6 a 5 c c d 8 5 3 2 5 a 6 c f 8 c d 1 b 7 9 4 0 6 7 d 0 3 b e c f 5 a 2 8 4 6 9 1 7 d 4 b f c 8 7 e 6 1 3 a 2 5 0 9 8 9 8 3 e a 7 2 1 f b 4 6 0 d c 5 9 f 6 e 5 2 a b c 8 3 d 0 9 4 1 7 a 4 9 d b 1 6 5 7 3 0 c c f 2 8 a b a e 4 6 7 2 9 0 1 f 5 d 8 b 3 c c 6 c 1 d e 0 3 4 9 5 8 2 a f 7 b d c a 8 4 3 b 1 d 2 9 0 f 6 7 5 e e 5 1 6 2 8 d e a 7 c 9 4 b 0 f 3 f e b 7 c 9 4 d 2 0 8 6 3 5 1 a f

TASCECA algorithm was defined by the following algorithm:

1) Define the initial set of decoding candidates S₀={(k₀,λ)}.

2) For i=1 to μ do

S _(i)={(k,m′)|∃(k″,m″)εS _(i−1) ,D″,H(D″,D′)≦B,(k,m″ _(d))=f ⁻¹(k″,D″), m′=m″m″_(d), where m″_(d) has the same redundant information as M′_(i)}

3) From the last set S_(μ) choose an element (k,m′)εS_(μ).

4) From m′ obtain the message M.

For example, suppose that we want to send the following message

M=4d616365646f6e6961

through Binary Symmetric Channel, with TASCECA of rate ¼ and block length of 288 bits. For the sake of easier representation of the results, we will use small value of B_(max)=3. That means that for every received 4-letter word D_(i) (i.e. received 16 bit word D_(i)) we will search through all of its neighbors that have Hamming distance less or equal than 3. The total number of such close neighbors is

${\left( \frac{16}{0} \right) + \left( \frac{16}{1} \right) + \left( \frac{16}{2} \right) + \left( \frac{16}{3} \right)} = 697.$

According to the above tables, we will transform the message M into the following message (represented as a concatenation of 4-letters words)

M′=4d00 6100 6000 0000 3600 5000 6000 0000 4600 f600 e000 0000 6900 6000 1000 0000 0000 0000.

Notice that the total number of 4-letter words in this case is L=18. Let us choose the length of the key k to be n=5 and the initial value of the k_(o) to be k_(o)=01234. The encoding process can be immediately finished if we transform M′ with the function T and initial value k_(o). If we do that we will obtain the following pair

(k,C)=T(k ₀ ,M′)=(98f91, 26ab c306 b63b 50df 3965 39cbb564 5521 a059 6bOf 611e 2700 239f 7c7c 6973 ge53 bd9a 5f26).

However, we use Eq. 2 to represent the encoding process iteratively in the table below. The values in the table below can be obtained iteratively i.e. (k₁,C₁)=(15b40,26ab)=T(k₀,M′₁)=T(01234,4d00), then (k₂,C₂)=(7fd9a,c306)=T(k₀,M′₂)=T(15b40, 6100) and so on.

Decoding phase is described in the iterative process table below. In order to save space, the elements of the sets S_(i) are shown in form (k,M′), a little bit different from that described in Step 2 of the Decoding phase. Namely, M′ are shown with removed redundancy, i.e. without redundant 0's. Additionally, beside each element of the set S_(i) there is a bolded 4-letter word with maximum Hamming weight of B_(max)=3. That word tells us what changes were made on the received 4-letter to word D_(i) such that when applied the inverse function T⁻¹ to the changed word, the result has the needed structure of redundant information. So, for example for i=1 the row “(6803e,4e), 01a8” means that (6803e,4e00)=T⁻¹ (01234,24ab⊕01a8) then the row “(15b₄₀,4d), 0200” means that (15b4 0, 4dOO)=T⁻¹ (01234,24ab⊕0200) and so on. Next, for i=2 the row “(21a6 9, 4ed1), 0460” means that (21a6 9, d100)=T⁻¹ (6803e, c326⊕0460) and so on,

TABLE V ATIVE PROCESS OF ENCODING THE MESSAGE M′, SHOWN WITH INTERMEDIATE VALUES OF THE KEYS k_(i), AND THE VALUES OF D_(i) THAT DIFFERS FROM CORRESPONDING C_(i) SINCE SOME ERRORS WERE INTRODUCED BY THE BINARY SYMMETRIC CHANNEL i M_(i)′ C_(i) k_(i) D_(i) Errors  1 4d00 26ab 15b40 24ab 1  2 6100 c306 7fd9a c326 1  3 6000 b63b fb47c b6bf 2  4 0000 50df f45dc 54df 1  5 3600 3965 27de3 3965 0  6 5000 39cb c14df 39cb 0  7 6000 b564 20107 a564 1  8 0000 5521 663fd 5520 1  9 4600 a059 6013d a051 1 10 f600 6b0f 58dc3 7a4f 3 11 e000 611e f0d95 e17e 3 12 0000 2700 ffed3 2f08 2 13 6900 239f 35f24 b39f 2 14 6000 7c7c 95b38 7d7c 1 15 1000 6973 95aeb 6973 0 16 0000 9e53 d3a8f 9e53 0 17 0000 bd9a 78995 9d9b 2 18 0000 5f26 98f91 cf66 3 BINARY SYMMETRIC CHANNEL i = 0 i = 1, D₁ = 24ab i = 2, D₂ = c326 (01234. λ) (6803e, 4e), 01a8 (21a69, 4ed1), 0460 (15b40, 4d), 0200 (87180, 4e82), 1120 (26e23, 4c), 0620 (7fd9a, 4d61), 0020 (6a632, 67), 1500 (1028d, 4d67), 0280 (eca98, e0), 4802 (e575d, 4d95), 2082 (93261, cd), 9004 (faa5c, 4deb), 8200 (f9792, 4c65), 0002 (bb4bb, 4ca2), 8802 (ec036, 67c8), 0081 (cb9ff, e075), 0218 (1e584, cd24), 1080 i = 3, D₃ = b6bf i = 4, D₄ = 54df i = 5, D₅ = 3965 (fb47c, 4d616), 0084 (f45dc, 4d616), 0400 (27de3, 4d61636), 0000 (dbbc4, 67c84), 010a (0bdb1, 4d61603), 2009 (2578f, 4d6166b), 4802 (a264f, 4d61615), 8080 i = 6, D₆ = 39cb i = 7, D₇ = a564 i = 8, D₈ = 5520 (c14df, 4d616365), 0000 (20107, 4d6163656), 1000 (663fd, 4d6163656), 0001 (e1eec, 4d616367), 1108 (d3498, 4d6166be), 9000 (95052, 4d6166b2), c010 i = 9, D₉ = a051 i = 10, D₁₀ = 7a4f i = 11, D₁₁ = e17e (6013d, 4d616365646), 0008 (58dc3, 4d616365646f6), 1140 (f1e2c, 4d616365655280), 2240 (176de, 4d616365643), 0822 (72a88, 4d6163656469c), 4110 (47c11, 4d61636568855c), 8001 (06677, 4d616365696), 4001 (b8f4f, 4d61636564616), c008 (f0d95, 4d616365646f6e), 8060 (ce416, 4d616365655), 8c00 (b443b, 4d616365643e9), 002c (feae4, 4d616365688), 9200 (21187, 4d616365643e2), 0a02 (8ce41, 4d61636569644), 0040 (7b86c, 4d61636569684), 0181 (34856, 4d616365696f9), 1003 (50597, 4d616365696f3), 1801 (66058, 4d616365696d2), 2102 (f4590, 4d61636565528), 0c08 (3c471, 4d616365688e7), 0002 (72831, 4d61636568855), 0002 i = 12, D₁₂ = 2f08 i = 13, D₁₃ = b39f i = 14, D₁₄ = 7d7c (ffed3, 4d616365646f6e), 0808 (b51ef, 4d616365646f6e04), 0841 (f9f1c, 4d616365646f6e041), 4008 (35f24, 4d616365646f6e69), 9000 (95b38, 4d616365646f6e696), 9000 (b5a55, 4d616365646f6e69e), 1028 i = 15, D₁₅ = 6973 i = 16, D₁₆ = 9e53 i = 17, D₁₇ = 9d9b (4d0e6, 4d616365646f6e0419), 8012 (d3a8f, 4d616365646f6e6961), 0000 (78995, 4d616365646f6e6961), 2001 (95aeb, 4d616365646f6e6961), 0000 (c08bc, 4d616365646f6e696a), c010 i = 18, D₁₈ = cf66 (98f91, 4d616365646f6e6961), 9040

In the process of decoding, we iteratively decode 4-tuples D_(i)=d_(j)d_(j)+₁d_(j)+₂d_(j+3), j=1+4(i−1), i=1, 2, . . . 9, and check if 0₄ is the last nibble of corresponding L_(i), or if L₄, L₈, L₉ are strings of zeros only. However, since D_(i)=d_(j)d_(j+1)d_(j+2)d_(j+3), j=1+4(i−1), i=1, 2, . . . 9, differs from the corresponding codeword C_(i)=c_(j)c_(j+1)c_(j+2)c_(j+3) in some bits, in process of decoding we decode every 4-tuple which is less than B bits distant from D_(i). In a few words: decoding of the codeword is a process of a search of those D_(i)s for which, when decoded, the last nibble is a string of 4 zeros, and L₄, L₈, L₉ are strings of zeros only.

It is clear that this step is a very significant iterative part of the decoder. During the process of decoding, the number of elements in the set S of all possible candidates can increase dramatically, so it is important to keep this number under control. Positioning of the redundant data in L, as shown in the above rate code table, is used for this purpose, but also other techniques for eliminating the most unlikely candidates can be applied. At the end of the iterative decoding, eventually the number of elements in S decreases to one, meaning that all errors are found and corrected. The decoder has also the following property: if somehow the right candidate is eliminated from the set of candidates S, several steps further the decoding process will eventually result in an empty set S, which is an evidence that some wrong decoding decision was made.

Furthermore, under the assumption that the number of elements in the set S is kept in control, we can calculate the upper bound of BER for the decoding. Namely, for a binary symmetric channel with a probability of error p, assuming that the maximal Hamming distance for received 4-tuples D_(i) is not larger than B=B_(max), and let K=N/16 be the number of 4-tuples in the codeword of length N, the upper bound of BER can be calculated by the following expression:

${BER} \leq {\sum\limits_{i = 1}^{K}{\begin{pmatrix} K \\ i \end{pmatrix}{p_{B}^{i}\left( {1 - p_{B}} \right)}^{K - i}}}$

where

$\rho_{B} = {\sum\limits_{i > \kappa_{\max}}^{\;}{\left( \frac{16}{i} \right){p^{\prime}\left( {1 - p} \right)}^{16 - i}}}$

is the probability that more than B_(max) errors occur in a string of 16 bits.

Our experiments for the code showed significant improvement as compared to Turbo and LDPC codes. For example, for SNR=0.0 dB, rate ½ and block length of only 288 bits, preferred codes give a BER=1.7×10⁻⁴, and for SNR=−0.5 dB, rate ¼ and block length of only 864 bits produce BER=4.1×10⁻⁵. Such numerical experiments show that its potentials are, in this moment, far beyond the capabilities of the currently best error correction codes.

Yet another aspect of the present invention provides an improver of pseudo-random number generators (PRNG) such that the improved PRNG has almost unmeasurable period, uniform distribution of the letters, pairs of letters, triples of letters, and so on, and passes all statistical tests of randomness. The preferred improver of PRNG is designed by using quasigroup string transformations and its properties are mathematically provable. It is very flexible: the input/output strings can be of 2-bits letters, 4-bits letters, bytes, 2-bytes letters, and so on. Additionally, its complexity linear, it needs less than 1 Kb memory in its 2-bits and 4-bits implementations, and therefore is suitable for usage in embedded systems as well.

There are several improvers for (pseudo-)random number generators (PRNG's) construct over pseudo-random number generators and/or unbiased physical sources of randomness. The general characteristics of all improvers for PRNG's is that either they do not use each bit of information generated by the source or their algorithms are of exponential nature and then approximations should be involved. Among proposed algorithms for improvers of PRNG's, some of them can be implemented in a computationally effective way, while for some of them mathematical proofs are supplied for the desired properties.

According to embodiments of the present invention, an improver for PRNG's is provided that is based on the quasigroup string transformations. A preferred improver uses each bit of information produced by an information source. Moreover, a preferred improver is capable to produce a pseudo random number sequence (of high quality) from a stationary source that produces only one signal, zero for example. The complexity of a preferred algorithm is linear, i.e. an output string of length n will be produced from an input string of length n with complexity O(n). This means that computationally very effective software and hardware implementations of the improver can be designed. The preferred algorithm is very flexible: the same design can be used for strings whose letters consist of 2-bits, 4-bits, bytes, 2-bytes and generally it can be designed for n-bits letters alphabet (n≧2).

The definitions of a quasigroup has been provided above. Also as provided above, the definition of a quasigroup implies the cancellation laws x*y=x*z

y =z,y*x=z*x

y=z and the equations a*x=b, y*a=b have unique solutions x, y for each a,bεQ. If (Q,*) is a quasigroup then * is called a quasigroup operation.

Several quasigroup string transformations can be defined and those of interest to us will be explained below. Consider an alphabet (i.e. a finite set) A, and denote by A⁺ the set of all nonempty words (i.e. finite strings) formed by the elements of A. The elements of A⁺ will be denoted by a₁a₂ . . . a_(n) rather than (a₁, a₂, . . . , a_(n)), where a_(i)εA. Let * be a quasigroup operation on the set A. For each lεA we define two functions e_(l,*),e_(l,*)′: A⁺→A⁺ as follows. Let a_(i)εA, α=a₁a₂ . . . a_(n). Then

e _(l,*)(α)=b ₁ . . . b _(n)

b _(i+1) =b _(i) *a _(i+1)

e _(l,*)′(α)b₁ . . . b _(n)

b _(i+1) =a _(i+1) *b _(i)

for each i=0, 1, . . . n−1, where b₀=1. The functions e_(l,*) and e′_(l,*) are called e- and e′-transformations of A⁺ based on the operation * with leader l. Graphical representations of the e- and e′-transformations are shown in the following tables.

FIG. 1: Graphical Representation of an E-Transformation

FIG. 2: Graphical Representation of an E′-Transformation

As an example, take A={0, 1, 2, 3} and let the quasigroup (A,*) be given by the multiplication scheme shown below.

Consider the string α=1 0 2 1 0 0 0 0 0 0 0 0 0 1 1 2 1 0 2 2 0 1 0 1 0 3 0 0 and choose the leader 0. Then by the transformations e_(0,*) and e′_(0,*) we will obtain the following transformed strings

e _(0,*)(α)=1 322 1 302 1 302 1 0 1 1 2 1 1 1 330 1 3 1 30

and

e′ _(0,*)(α)=3 3 0 3 3 3 3 3 3 3 3 332 1 2 1 1 233 2 0 3 3 1 1 1.

We present four consecutive applications of these transformations in the above table. One can notice that the starting distribution of 0, 1, 2 and 3 in α: 16/28, 7/28, 4/28, 1/28 is changed to 7/28, 7/28, 10/28, 4/28 in e_(0,*) ⁴(α) and to 5/28, 10/28, 10/28, 5/28, 8/28 in e′_(0,*) ⁴(α), hence the distributions became more uniform.

Several quasigroup operations can be defined on the set A and let *₁, *₂, . . . , *_(k) be a sequence of (not necessarily distinct) such operations. We choose also leaders l₁, l₂, . . . , l_(k)εA (not necessarily distinct either), and then the compositions of mappings

E _(k) =E _(l) _(1 . . .) _(l) _(k) =e _(l) _(1,*1) ^(o) e _(l) _(2,*2) ^(o . . . o) e _(l) _(k,*k) ;

E′ _(k) =E′ _(l) _(1 . . .) _(l) _(k) =e′ _(l) _(1,*1) ^(o) e′ _(l) _(2,*2) ^(o . . . o) e _(l) _(k,*k)

are said to be E- and E′-transformations of A⁺ respectively. The functions E_(k) and E′_(k) have many interesting properties, and for our purposes the most important ones are the following:

Theorem 10 The transformations E_(k) and E′_(k) are permutations of A⁺.

Theorem 11 Consider an arbitrary string α=a₁a₂ . . . a_(n)εA⁺, where a_(i)εA, and let β=E_(k)(α), β=E′_(k)(α). If n is large enough integer then, for each l: 1≦l≦k, the distribution of substrings of β and β′ of length l is uniform. (We note that for l>k the distribution of substrings of β and β′ of length l may not be uniform).

We say that a string α=a₁a₂ . . . a_(n)εA⁺, where a_(i)εA, has a period p if p is the smallest positive integer such that a_(i+1)a_(i+2) . . . a_(i+p)=a_(i+p+1)a_(i+p+2) . . . a_(i+2p) for each i≧0. Let α, β, β′ be as in Theorem 10 and assume that the leader a of the transformations E_(k) and E′_(k) is such that a*a≠a. Then we have the following property:

Theorem 12 The periods of the strings β and β′ are increasing at least linearly by k.

We should note that the increasing of the periods depends on the quasigroup operations, and for some of them it is exponential, i.e. if α has a period p, then β=E_(k)(α) and β′=E′_(k)(α) may have periods greater than p2^(k). We will discuss this in more detail.

In the examples that follow we will usually use only E-transformations, since the results will hold for E′-transformations by symmetry.

Describing the quasigroup PRNG improver specifically, assume that we have a discrete source of information SI that produces strings from A⁺, i.e. the alphabet of SI is A, where A={a₀, a₁, . . . , a_(s−1)} is a finite alphabet. We may consider that the output strings from SI are pseudo random numbers, i.e. we take that the elements of A are digits in a number base s and that SI is a PRNG. Then we define two algorithms for PRNG improvers, based on E- and E′-transformations accordingly. We call them an E-algorithm and an E′-algorithm. In the algorithms we use several internal variables b, L₁, . . . , L_(n), the input of the algorithms is the order of the quasigroup s, a quasigroup A,* of order s, a fixed element lεA (the leader), an integer n giving the number of applications of the transformations e_(l,*) and e′_(l,*) and a pseudo random string b₀, b₁, b₂, b₃, . . . obtained from some source of information SI with alphabet A. The output is an improved pseudo random string.

E-algorithm Phase I. Initialization  1. Choose a positive integer s ≧ 4;  2. Choose an exponential quasigroup (A,*);  3. Set a positive integer n;  4. Set a leader l, a fixed element of A such that l * l ≠ l; Phase II. Transformations of the pseudo random strings      b₀b₁b₂b₃..., b_(i) ∈ A, obtained from the source SI  5. For i = 1 to n do L_(i) ← l;  6. do     b ← RandomElement(SI);     L₁ ← L₁ * b;     For i = 2 to n do L_(i) ← L_(i) * L_(i−1);     Output: L_(n);      loop;

The E′-algorithm differs of the E-algorithm only in step 6:

E′ - algorithm 6′. do    b ← RandomElement(SI);    L₁ ← b * L₁;    For i = 2 to n do L_(i) ← L_(i−1) * L_(i);    Output: L_(n); loop;

We have to explain the meaning of an exponential quasigroup and to give suitable parameters for numbers s and n. In fact, the number s is in a way predefined by the source of information SI, but not completely. Let the alphabet of SI be ASCII, consisting of all 8-bits letters. Then we have the following choices of A: A={0, 1, 2, 3}. A={0, 1, 2, . . . , 7}, A={0, 1, . . . , 15}, A={0, 1, . . . , 31}, A={0, 1, . . . , 63}, A={0, 1, 2, . . . , 127}. Namely, the output string of SI is considered as string of bits and then the bits are grouped by two, three, and so on. (We can consider in this case alphabets with two bytes letters, three bytes letters etc., but quasigroups of order 512 or higher need a lot of storage memory and generally the computations are slower, which may be undesirable. The number n should be chosen by the principle ‘for smaller s larger n’ and its choice depends of the source of information SI. Thus, if SI gives constant output (zero's, for example), then by our experience one rule could be ‘ns≧512 & n>8’. If SI produce a kind of random sequence then n can be small, sometimes n=1 is quite enough. For example, the PRNG used in Pascal does not pass the statistical tests in the battery [diehard], but it passes all of them after only one application of an e-transformation. Of course, for larger s the better output pseudo random string is obtained, but it should be optimized by the available performances (speed of the algorithm, accessible memory etc). All of the mentioned properties are based on Theorem 11 and Theorem 12 and on our experience obtained throughout several hundred experiments.

The potential of quasigroups for defining and improving PRNG has been considered. From prior studies it can be concluded that the class of finite quasigroups can be separated into two disjoint subclasses: the class of linear (or fractal) quasigroups and the class of exponential (or uniform) quasigroups. There are several characteristics that separate these two classes and for our purposes this one is important. Given a finite set Q={q₀, q₁, . . . q_(s−1)}, let (Q,*) be a quasigroup and let us start with infinite (i.e. enough long) string α=q₀q₁ . . . q_(s−1)q₀q₁ . . . q_(n−1)q₀q₁ . . . q_(s−1) . . . of period n. Apply r times an e_(l,*) transformation on α and denote by α_(r) the obtained string. Then, if the period of the string α_(r) is a linear function of r, then the quasigroup (Q,*) is said to be linear. In the opposite case the period of the string α_(r) is an exponential function nr (for some constant n: 1<n≦s), and then the quasigroup (Q,*) is said to be exponential. The number n is called the period of growth of the exponential quasigroup (Q,*). (It is an open problem whether there exist only two kinds of finite quasigroups, linear and exponential).

It has been shown via statistical results provided in Dimitrova, V., Markovski J.: On quasigroup pseudo random sequence generator, Proc. of the 1-st Balkan Conference in Informatics, Y Manolopoulos and P. Spirakis eds., 21-23 Nov. 2004, Thessaloniki, pp. 393-401, that a percentage of linear quasigroups decreases when the order of the quasigroup increases. Furthermore, it can be determined that the percentage of ‘bad’ quasigroups, i.e. linear quasigroups and exponential quasigroup with period of growth s≦2, decreases exponentially by the order of the quasigroups. The following table illustrates percentages of ‘bad’ quasigroups for quasigroups of order 4, 5, 6, 7, 8, 9 and 10 according to Dimitrova et al. We have to notice that the above results are not quite precise (except for the

TABLE 1 Percentage of ‘bad’ quasigroups of order 4-10 Order of the quasigroup 4 AA5 6 AA7 8 9 10 Percentage of ‘bad’ 34.7 1.1 1.0 0.6 0.38 0.25 0.15 quasigroups

quasigroups of order 4, where complete classification is obtained, since the conclusion is made when only 7 e-transformation were applied. Namely, it can happen some quasigroups after more than 7 applications to obtain period of growth ≧2.

We made the following experiment over 106 randomly chosen quasigroups of order 16. We counted the period of growth after 5 applications of e_(l,*) transformations of each of the quasigroups on the following periodical strings with period 16: 0, 1, 2, . . . , 14, 15, 0, 1, 2, . . . , 14, 15, . . . , 0, 1, 2, . . . , 14, 15, . . . . The value of the leader l did not affect the results. The obtained distribution of the period of growth is presented on the following table. It can be seen from the table

Number of quasigroups with Constant k period a = 2^(k) 0.00 ≦ k < 0.25 1 0.25 ≦ k < 0.50 23 0.50 ≦ k < 0.75 191 0.75 ≦ k < 1.00 686 1.00 ≦ k < 1.25 2517 1.25 ≦ k < 1.50 7918 1.50 ≦ k < 1.75 18530 1.75 ≦ k < 2.00 12687 2.00 ≦ k < 2.25 79834 2.25 ≦ k < 2.50 128836 2.50 ≦ k < 2.75 174974 2.75 ≦ k < 3.00 199040 3.00 ≦ k < 3.25 176848 3.25 ≦ k < 3.50 119279 3.50 ≦ k < 3.75 454$$3 3.75 ≦ k < 4.00 1527

that 907 quasigroups have period of growth <2 after 5 applications of the e-transformation. We counted the period of growth after 6 applications of each of those quasigroups and we obtained that only 15 of them had the period of growth <2. After 7 applications, only one quasigroups had period of growth <2, but it obtained period of growth 2 after 10 applications of e-transformations. This experiment shows that it is not easy for a linear quasigroup of order 16 to be found randomly.

The PRNG improvers of preferred embodiments are very effectively implementable in software and hardware. They are of linear complexity and if quasigroups of order ≦16 are used can be installed in less than 1 Kb working memory. Hence, they can be used in embedded systems. The performance of the algorithms is based on Theorems 10, 11 and 12. By Theorem 10 we have that E-algorithm and E′-algorithm are injective, meaning that different input string obtained from a source of information SI will produce different output string. Theorem 11 allows uniform output random string to be obtained, where the distribution of the letters, pairs of letters, triples of letters, etc. is uniform. Finally, Theorem 12 and the statistical results show that the period of the output random string can be as large as we want (it is potentially infinite as a matter of fact). The desired characteristics of the output random strings can be easily achieved by using suitable (exponential) quasigroups and suitable choice of the parameter s. It is clear that the above properties are not enough good pseudo random strings to be obtained. We have checked the obtained pseudo random strings by using available statistical tests (Diehard), and they passed all of the tests.

Proofs for Theorems 11 and 12 will now be provided. Regarding Theorem 11, in order to simplify the technicalities in the proof we take that the alphabet A is {0, . . . , s−1}, where 0, 1, . . . , s−1 (s>1) are integers, and * is a quasigroup operation on A. We define a sequence of random variables {Y_(n)|n≧1} as follows. Let us have a probability distribution (q₀, q₁, . . . , q_(s−1)) of the letters 0, 1, . . . s−1, such that q_(i)>0 for each i=0, 1, . . . , s−1

and

${\sum\limits_{i = 0}^{s - 1}q_{i}} = 1$

Consider an e-transformation E and let γ=E(β) where β=b₁ . . . b_(k), γ=c₁ . . . c_(k)εA⁺(b₁,c_(i)εA). We assume that the string β is arbitrarily chosen. Then by {Y_(m)=i} we denote the random event that the m-th letter in the string γ is exactly i. The definition of the e-transformation given by (1) implies

P(Y _(m) =j|Y _(m−1) =j _(m−1) , . . . , Y ₁ =j ₁)=P(Y _(m) =j|Y _(m−1) =j _(m−1))

since the appearance of the m-th member in γ depends only of the (m−1)th member in γ, and not of the (m−2)-th, . . . , 1-st ones. So, the sequence {Y_(m)|m≧1} is a Markov chain, and we refer to it as a quasigroup Markov chain (qMc). Let p_(ij) denote the probability that in the string γ the letter j appears immediately after the given letter i, i.e.

p _(ij) =P(Y _(m) =j|Y _(m−1) =i), i, j=0, 1, . . . , s−1

The definition of qMc implies that p_(ij) does not depend on m, so we have that qMc is a homogeneous Markov chain. The probabilities p_(ij) can be determined as follows. Let i,j,tεA and let i*t=j be a true equality in the quasigroup (A,*). Then

P(Y _(m) =j|Y _(m−1) =i)=q _(t),

since the equation i*x=j has a unique solution for the unknown x. So, p_(ij)>0 for each i, j=0, . . . , s−1, i.e. the transition matrix II=(p_(ij)) of qMc is regular. Clearly, as in any Markov chain,

${\sum\limits_{j = 0}^{s - 1}p_{ij}} = 1.$

But for the qMc we also have

${\sum\limits_{i = 0}^{s - 1}p_{ij}} = {{{\sum\limits_{t \in A}^{\;}}_{t}q_{t}} = 1}$

i.e. the transition matrix II of a qMc is doubly stochastic.

The regularity of II implies that there is a unique fixed probability vector p=(p₀, . . . , p_(s−1)) such that pII=p, and all components of p are positive. Also, since II is a doubly stochastic matrix too, one can check that

$\left( {\frac{1}{s},\frac{1}{s},\ldots \mspace{11mu},\frac{1}{s}} \right)$

is a solution of pII=p. So,

$p_{i} = {\frac{1}{s}{\left( {{i = 0},\ldots \mspace{11mu},{s - 1}} \right).}}$

In such a way we have the following Lemma:

Lemma Let β=b₁b₂ . . . b_(k)εA⁺ and γ=E⁽¹⁾(β). Then the probability of the appearance of a letter i at the m-th place of the string γ=c₁ . . . c_(k) is approximately

$\frac{1}{s},$

for each iεA and each m=1, 2, . . . , k.

The Lemma tells us that the distribution of the letters in the string γ=E(β) obtained from a sufficiently large string β by a qsp is uniform. We proceed the discussion by considering the distributions of the substrings c_(i+1) . . . c_(i+1) of the string γ=E^(n)(β)(β=b₁b₂ . . . b_(k)εA⁺), where l≧1 is fixed and iε{0, 1, . . . , k−1}. As usual, we say that c_(i+1) . . . c_(i+1) is a substring of γ of length l. Define a sequence {Z_(m) ^((n))|m≧1} of random variables by

$Z_{m}^{(n)} = {t\left\{ \begin{matrix} {{Y_{m}^{(n)} = i_{m}^{(n)}},{Y_{m + 1}^{(n)} = i_{m + 1}^{(n)}},\ldots \mspace{11mu},{Y_{m + l - 1}^{(n)} = i_{m + l - 1}^{(n)}},} \\ {t = {{i_{m}^{(n)}s^{l - 1}} + {i_{m + 1}^{(n)}s^{l - 2}} + \ldots + \mspace{11mu} {i_{m + l - 2}^{(n)}s} + i_{m + l - 1}^{(n)}}} \end{matrix} \right.}$

where here and further on the superscripts (n) denote the fact that we are considering substrings of a string γ=i₁ ^((n))i₂ ^((n)) . . . i_(k) ^((n)) obtained from a string β by transformations of kind en. Thus, Y_(m) ^((n)) is just the random variable Y_(m) defined as before. The mapping

(i_(m) ^((n)), i_(m+1) ^((n)), . . . , i_(m+l−1) ^((n))

i_(m) ^((n))s^(l−1)+i_(m+1) ^((n))s^(l−2)+ . . . +i_(m+l−2) ^((n))s+i_(m+l−1) ^((n))

is a bijection from A^(l) onto {0, 1, . . . , s^(l)−1}, so the sequence {Z_(m) ^((n))|m≧1} is well defined. The sequence {Z_(m) ^((n))|m≧1} is also a Markov chain (n-qMc), since the appearance of a substring i_(m) ^((n))i_(m+1) ^((n)) . . . i_(m+l−1) ^((n)) of l consecutive symbols in γ depends only of the preceding substring i_(m−1) ^((n))i_(m) ^((n))i_(m+1) ^((n)) . . . i_(m+l−2) ^((n)). Denote by t and t′ the following numbers:

t=i _(m) ^((n)) s ^(l−1) +i _(m+1) ^((n)) s ^(l−2) + . . . +i _(m+l−2) ^((n)) s+i _(m+l−1) ^((n)),

t′=i _(m−1) ^((n)) s ^(l−1) +i′ _(m) ^((n)) s ^(l−2) + . . . +i′ _(m+l−3) ^((n)) s+i′ _(m+l−2) ^((n)).

Let Pt′t be the probability that in some string γ=E^((n))(β), the substring i_(m) ^((n)) . . . i_(m+l−2) ^((n))i_(m+l−1) ^((n)) of γ (from the m-th to the m+l−1-th position) appears (with overlapping) after a given substring i_(m−1) ^((n))i′_(m) ^((n)) . . . i′_(m+l−3) ^((n))i′_(m+l−2) ^((n)) of γ (from the m−1-th to the m+l−2-th position). Clearly, Pt′t=0 if i_(j) ^((n))≠i′_(j) ^((n)) for some jε{m, m−1, . . . , m+l−2}. In the opposite case (when l−1 letters are overlapped) we have:

$\begin{matrix} {p_{t^{\prime}T} = {P\left( {Z_{m}^{(n)} = {\left. t \middle| Z_{m - 1}^{(n)} \right. = t^{\prime}}} \right)}} \\ {= {P\begin{pmatrix} {{Y_{m}^{(n)} = i_{m}^{(n)}},\ldots \mspace{11mu},{Y_{m + 1 - 1}^{(n)} = {\left. i_{m + l - 1}^{(n)} \middle| Y_{m - 1}^{(n)} \right. =}}} \\ {i_{m - 1}^{(n)},{Y_{m}^{(n)} = i_{m}^{(n)}},{\ldots \mspace{14mu} \ldots}\mspace{11mu},{Y_{m + l - 2}^{(n)} = i_{m + l - 2}^{(n)}}} \end{pmatrix}}} \\ {= {P\left( {\bigcap_{j = 0}^{l - 1}\left( {Y_{m + j}^{(n)} = i_{m + j}^{(n)}} \right)} \middle| {\bigcap_{j = 0}^{l - 1}\left( {Y_{m + j - 1}^{(n)} = i_{m + j - 1}^{(n)}} \right)} \right)}} \\ {= \frac{P\left( {\bigcap_{j = 0}^{l}\left( {Y_{m + j - 1}^{(n)} = i_{m + j - 1}^{(n)}} \right)} \right)}{P\left( {\bigcap_{j = 0}^{l - 1}\left( {Y_{m + j - 1}^{(n)} = i_{m + j - 1}^{(n)}} \right)} \right)}} \\ {\frac{\left. {\left. {P\left( {\bigcap_{j = 0}^{l - 1}\left( {Y_{m + j}^{(n)} = i_{m + j}^{(n)}} \right)} \right)} \middle| Y_{m - 1}^{(n)} \right. = i_{m - 1}^{(n)}} \right)}{\left. {\left. {P\left( {\bigcap_{j = 0}^{l - 3}\left( {Y_{m + j}^{(n)} = i_{m + j}^{(n)}} \right)} \right)} \middle| Y_{m - 1}^{(n)} \right. = i_{m - 1}^{(n)}} \right)}} \end{matrix}$

By using an induction of the numbers n of quasigroup transformations we will prove the Theorem 11, i.e., we will prove the following version of it:

Let 1≦l≦n, β=b₁b₂ . . . b_(k)εA⁺ and γ=E^((n))(β). Then the distribution of substrings of γ of length l is uniform.

Recall the notation A={0, . . . , s−1}. For n=1 we have the Lemma, and let n=r+1, r≧1. By the inductive hypothesis, the distribution of substrings of length l for l≦r in γ′=E^(r)(β) is uniform. At first, we assume l≦r and we are considering substrings of length l of γ=E^(r+1)(β)=i_(l) ^((r+1)) . . . i_(k) ^((r+1)). We take that *₁, . . . ,*_(r+1) are quasigroup operations on A and recall that E_((r+1))=E_(r+1) ^(o)E^((r))=E_(r+1) ^(o)E_(r) ^(o)E^((r−1))= . . . . Since (A,*_(r+1)) is a quasigroup the equation i_(j−1) _(*r+1) ^((r+1))x=i_(j) ^((r+l)) has a unique solution on x, for each j, 2≦j≧k, and we denote it by x=i_(j) ^((r)). Denote by i₁ ^((r)) the solution of the equation a_(r+1*r+1) x=i₁ ^((r+1)), where a_(r+1)εA is the fixed element in the definition of E_(r+1). In such a way, instead of working with substrings i_(m) ^((r+1))i_(m+1) ^((r+1)) . . . i_(m+d) ^((r+1)) of γ, we can consider substrings i_(m) ^((r))i_(m+1) ^((r)) . . . i_(m+d) ^((r)) of γ′=E^((r))(β), for any d, 0≦d≦k−m. The uniqueness of the solutions in the quasigroup equations implies that we have

P(∩_(j=0) ^(d)(Y _(m+j) ^((r+1)) =i _(m+j) ^((r+1))))|Y _(m−1) ^((r+1)) =i _(m−1) ^((r+1)))=P(∩_(j=0) ^(d)(Y _(m+j) ^((r)) =i _(m+j) ^((r))))  (4)

as well. Here, i₀ ^((r+1))=a^(r+1). Then, by (3) and (4) (for d=l−1, d=l−2 and n=r+1) we have

$p_{t^{\prime}t} = \frac{P\left( {\bigcap_{j = 0}^{l - 1}\left( {Y_{m + j}^{(r)} = i_{m + j}^{(r)}} \right)} \right)}{P\left( {\bigcap_{j = 0}^{l - 2}\left( {Y_{m + j}^{(r)} = i_{m + j}^{(r)}} \right)} \right)}$

where l≦r. By the inductive hypothesis we have

${{P\left( {\bigcap_{j = 0}^{l - 1}\left( {Y_{m + j}^{(r)} = i_{m + j}^{(r)}} \right)} \right)} = \frac{1}{s^{l}}},{{P\left( {\bigcap_{j = 0}^{l - 2}\left( {Y_{m + j}^{(r)} = i_{m + j}^{(r)}} \right)} \right)} = \frac{1}{s^{l - 1}}}$

i.e.

${{pt}^{\prime}t} = {\frac{1}{s}.}$

Thus, for the probabilities Pt′t we have

$p_{t^{\prime}t} = \left\{ \begin{matrix} 0 & {{{{{if}\mspace{14mu} i_{j}^{\prime {({r + 1})}}} \neq {i_{j}^{({r + 1})}\mspace{14mu} {for}\mspace{14mu} {some}\mspace{14mu} j}} = m},\ldots \mspace{14mu},{m + l - 2}} \\ \frac{1}{s} & {{{{if}\mspace{14mu} i_{j}^{\prime {({r + 1})}}} = {{i_{j}^{{({r + 1})} -}\mspace{14mu} {for}\mspace{14mu} {each}\mspace{14mu} j} = m}},\ldots \mspace{14mu},{m + l - 2.}} \end{matrix} \right.$

This means that in each column of the s^(l)×s^(l)-matrix of transitions II of n-qMc there will be exactly s members equal to

$\frac{1}{s}$

(those for which i_(j) ^(r(r+l))=i_(j) ^((r+1)), j=m, . . . , m+l−2), the other members will be equal to 0 and then the sum of the members of each column of II is equal to 1. Hence, the transition matrix II is doubly stochastic. It is a regular matrix too, since each element of the matrix II^(l) is positive. This implies that the system p II=p has a unique fixed probability vector p=

$\left( {\frac{1}{s^{l}},\frac{1}{s^{l}},\ldots \mspace{14mu},\frac{1}{s^{l}}} \right)$

as a solution. In other words, the distribution of substrings of γ of length l≦r is uniform. Assume now that l=r+1, and let the numbers t, t′ and the probabilities pt′t be defined as before. Then for pt′t we have that the above equation for pt′t holds too, i.e.

$p_{t^{\prime}t} = {\frac{P\left( {\overset{r}{\bigcap\limits_{j = 0}}\left( {Y_{m + j}^{(r)} = i_{m + j}^{(r)}} \right)} \right)}{P\left( {\overset{r - 1}{\bigcap\limits_{j = 0}}\left( {Y_{m + j}^{(r)} = i_{m + j}^{(r)}} \right)} \right)} = \frac{P\left( {\left. {\underset{j = 0}{\bigcap\limits^{r - 1}}\left( {Y_{m + j + 1}^{(r)} = i_{m + j + 1}^{(r)}} \right)} \middle| Y_{m}^{(r)} \right. = i_{m}^{(r)}} \right)}{P\left( {\left. {\underset{j = 0}{\bigcap\limits^{r - 2}}\left( {Y_{m + j + 1}^{(r)} = i_{m + j + 1}^{(r)}} \right)} \middle| Y_{m}^{(r)} \right. = i_{m}^{(r)}} \right)}}$

In the same way as it was done before, by using the fact that the equations i_(j−1*u) ^((u)) x=i_(j) ^((u)) have unique solutions x=i_(j) ^((u−1)) in the quasigroup (A,_(*u)), where u=r, r−1, . . . , 2, 1, we could consider substrings of γ′=E^((r))(β), γ″=E^((r−1))(β), . . . , γ^((r))=E⁽¹⁾(β), γ^((r=1))=E⁽⁰⁾(β)=β. Then, for the probabilities pt′t by repeatedly using the equations (4) and (6), we will reduce the superscripts (r) to (r−1), to (r−2), . . . , to (1), i.e. we will have

$\begin{matrix} {p_{t^{\prime}t} = \frac{P\left( {{Y_{m + r - 1}^{(1)} = i_{m + r - 1}^{(1)}},{Y_{m + r}^{(1)} = i_{m + r}^{(1)}}} \right)}{P\left( {Y_{m + r - 1}^{(1)} = i_{m + r - 1}^{(i)}} \right)}} \\ {= {P\left( {Y_{m + r}^{(1)} = {\left. i_{m + r}^{(1)} \middle| Y_{m + r - 1}^{(1)} \right. = i_{m + r - 1}^{(1)}}} \right)}} \\ {= {P\left( {Y_{m + r}^{(0)} = i_{m + r}^{(0)}} \right)}} \end{matrix}$

Where i_(m+r) ⁽⁰⁾εβ. Since P(Y_(m=r) ⁽⁰⁾=i_(m+r) ⁽⁰⁾)=q_(m+r) ⁽⁰⁾ we have

$p_{t^{\prime}t} = \left\{ \begin{matrix} 0 & {{{{{if}\mspace{14mu} i_{j}^{\prime {({r + 1})}}} \neq {i_{j}^{({r + 1})}\mspace{14mu} {for}\mspace{14mu} {some}\mspace{14mu} j}} = m},\ldots \mspace{14mu},{m + r - 1}} \\ q_{i_{m + r}}^{(0)} & {{{{if}\mspace{14mu} i_{j}^{\prime {({r + 1})}}} = {{i_{j}^{({r + 1})}\mspace{14mu} {for}\mspace{14mu} {each}\mspace{14mu} j} = m}},\ldots \mspace{14mu},{m + r - 1}} \end{matrix} \right.$

which implies

$\begin{matrix} {{\sum\limits_{t^{\prime} = 0}^{s^{r + 1} - 1}p_{t^{\prime}t}} = {\sum\limits_{i_{m - 1}^{({r + 1})} = 0}^{s - 1}{\sum\limits_{i_{m}^{\prime {({r + 1})}} = 0}^{s - 1}{\ldots \mspace{14mu} {\sum\limits_{i_{m + r - 2}^{\prime {({r + 1})}} = 0}^{s - 1}p_{t^{\prime}t}}}}}} \\ {= {\sum\limits_{i_{m - 1}^{({r + 1})} = 0}^{s - 1}q_{i_{m + r}}^{(0)}}} \\ {= {{\sum\limits_{i_{m}^{(r)} = 0}^{s - 1}q_{i_{m + r}}^{(0)}} = {{\sum\limits_{i_{m + 1}^{({r - 1})} = 0}^{s - 1}q_{i_{m + r}}^{(0)}} = {\ldots = {\sum\limits_{i_{m + r}^{(0)} = 0}^{s - 1}q_{i_{m + r}}^{(0)}}}}}} \\ {= 1} \end{matrix}$

We should note that the equations

${\sum\limits_{i_{m \cdot 1}^{({r + 1})} = 0}^{s - 1}q_{i_{m + r}}^{(0)}} = {{\sum\limits_{i_{m}^{(r)} = 0}^{s - 1}q_{i_{m + r}}^{(0)}} = \ldots}$

hold true since the equations i_(j−1*u) ^((u)) x=i_(j) ^((u)) have unique solutions in the quasigroup (A,_(*u)) for each u=r+1, r, . . . , 2, 1.

Hence, the transition matrix II is doubly stochastic, it is regular (II^(r+1) has positive entries) which means that the system pII=p has a unique fixed probability vector

$p = \left( {\frac{1}{s^{r + 1}},\frac{1}{s^{r + 1}},\ldots \mspace{14mu},\frac{1}{s^{r + 1}}} \right)$

as a solution.

Generally, the distribution of the substrings of lengths l for l>n in a string γ=E^((n))(β) is not uniform. Namely, for l=n+1, in the same manner as in the last part of the preceding proof, one can show that Pt′t=P(Y_(m+n+1) ⁽⁰⁾=i_(m+n+1) ⁽⁰⁾|Y_(m+n) ⁽⁰⁾=i_(m+n) ⁽⁰⁾) and then (as in the implied summations shown above) we have

${\sum\limits_{t^{\prime} = 0}^{s^{n + 1} - 1}{{Pt}^{\prime}t}} = {\sum\limits_{i_{m + n}^{(0)} = 0}^{s - 1}{{P\left( {Y_{m + n + 1}^{(0)} = {\left. i_{m + n + 1}^{(0)} \middle| Y_{m + n}^{(0)} \right. = i_{m + n}^{(0)}}} \right)}.}}$

Of course, the last sum must not be equal to l, i.e. the transition matrix ∥ must not be doubly stochastic. The same consideration could be made for l=n+2, n+3, . . . as well.

To prove Theorem 12, consider a finite quasigroup (A,_(*)) of order s and take a fixed element aεA such that a*a≠a. We will prove Theorem 12 in the more extreme case and so we take a string α=a₁ . . . a_(k) of period 1 where a_(i)=a for each i≧1. Then we apply the transformation E=e_(a,*) on α several times. E^(n) means that E is applied n times and we denote E^(n)(α)=a₁ ^((n)) . . . a_(k) ^((n))). The results are presented in the following table. We have that a′_(p)=a for some p>1 since a*a≠a

$\quad\begin{matrix} \; & a & a & \ldots & a & a & \ldots \\ a & a_{1}^{\prime} & a_{2}^{\prime} & \ldots & a_{p - 1}^{\prime} & a_{p}^{\prime} & \ldots \\ a & a_{1}^{''} & a_{2}^{''} & \ldots & a_{p - 1}^{''} & a_{p}^{''} & \ldots \\ a & a_{1}^{\prime\prime\prime} & a_{2}^{\prime\prime\prime} & \ldots & a_{p - 1}^{\prime\prime\prime} & a_{p}^{\prime\prime\prime} & \ldots \\ a & a_{1}^{(4)} & a_{2}^{(4)} & \ldots & a_{p - 1}^{(4)} & a_{p}^{(4)} & \ldots \\ \vdots & \vdots & \vdots & \; & \vdots & \vdots & \; \end{matrix}$

and a′_(i)εA (so we have that p is at least s), and let p be the smallest integer with this property. It follows that the string E(α) is periodical with period p. For similar reasons we have that each of the strings E(α) is periodical. We will show that it is not possible all of the strings E(α) to be of same period p. If we suppose that it is true, we will have a_(p) ^((n))=a for each n≧l . Then we will also have that there are b_(l) E A such that the following equalities hold:

$\begin{matrix} {a_{p - 1}^{(n)} = b_{p - 1}} & {{{for}\mspace{14mu} n} \geq 2} \\ {a_{p - 2}^{(n)} = b_{p - 2}} & {{{for}\mspace{14mu} n} \geq 3} \\ \vdots & \; \\ {a_{1}^{(n)} = b_{1}} & {{{for}\mspace{14mu} n} \geq p} \end{matrix}$

Then we have that a*b₁=b₁, and that implies a₁ ^((n))=b₁ for each n≧1. We obtained a*a=a*b₁=b₁, implying a=b₁, a contradiction with a*a≠a. As a consequence we have that a₁ ^((p+1))=a*a₁ ^((p))=a*b₁≠b₁, a₂ ^((p+1))=a₁ ^((p+1))*b₂≠b₂ . . . , a_(p−1) ^((p+1))=a_(p−2) ^((p+1))*b_(p−1)≠b_(p−1), a_(p) ^((p+1))=a_(p−1) ^((p+1))*a≠a. We conclude that the period of the string E_(a) ^((p+1))(α) is not p.

Next we show that if a string βεA⁺ has a period p and γ=E(β) has a period q, then p is a factor of q. Recall that the transformation E by Theorem 10 is a permutation and so there is the inverse transformation E⁻¹. Now, if γ=b₁ . . . b_(q)b₁ . . . b_(q) . . . b₁ . . . b_(q), then β=E⁻¹(γ)=c₁c₂ . . . c_(q)c₁c₂ . . . c_(q) . . . c₁c₂ . . . c_(q) is a periodical string with period ≦q. So, p≦q and this implies that p is a factor of q.

Combining the preceding results, we have proved the following version of Theorem 12:

Let α be a string with period p₀. Then the strings β=E_(a) ^(n)(α) are periodical with periods p_(n) that are multiples of p₀. The periods p_(n) of β satisfy the inequality

p _(p) _(n−1) >P _(n−1)

for each n≧l.

While specific embodiments of the present invention have been shown and described, it should be understood that other modifications, substitutions, and alternatives are apparent to one of ordinary skill in the art. Such modifications, substitutions, and alternatives can be made without departing from the spirit and scope of the present invention, which should be determined from the appended claims.

Various features of the present invention are set forth in the pending claims. 

1. A method of encrypting a message using a synchronous stream cipher, the method comprising: determining a quasigroup that is an autotope of an initial quasigroup based on a secret initial key K_(in) of selectable length n; determining a working key; generating a keystream for a binary additive cipher from the determined working key, the determined quasigroup, and the initial quasigroup; introducing the message as an input stream to the binary additive cipher; producing an output stream of the binary additive cipher comprising the encrypted message.
 2. The method of claim 1 wherein the working key is determined using the secret initial key K_(in).
 3. The method of claim 2 wherein said determining a quasigroup comprises: receiving the secret initial key K_(in); padding the key; expanding the padded key to a predetermined size; transforming the expanded key using the initial quasigroup; transforming the initial quasigroup to the determined quasigroup using the expanded key.
 4. The method of claim 3 wherein said determining the working key comprises: selecting a subset of the expanded key of length n.
 5. The method of claim 1 wherein said generating a keystream comprises: a) setting a counter $\left. {Counter}\leftarrow 0 \right.;{p = \left\lbrack \frac{m}{2} \right\rbrack};$  where m is the length of the working key; b) assigning an initial temporary variable X←K[Counter mod n]; c) assigning an initial temporary variable T←K[Counter+p mod n]; d) determining a temporary variable X according to for i=0 to m−1 do begin X←K _(i)*X; T←T•X; K _(i)←X; end; assigning K_(m−1)←T; e) providing the output stream Output: X{circle around (×)} Input; where Input comprises a part of the input stream; f) Counter←Counter+1; g) go to b); wherein said producing an output stream comprises performing step e) and • is an arbitrary quasigroup operation.
 6. A method of decrypting a message using a synchronous stream cipher, the method comprising determining a quasigroup that is an autotope of an initial quasigroup based on a secret initial key K_(in) of selectable length n; determining a working key; generating a keystream for a binary additive cipher from the determined working key, the determined quasigroup, and the initial quasigroup; introducing the encrypted message as an input stream to the binary additive cipher; producing an output stream of the binary additive cipher comprising the decrypted message.
 7. The method of claim 6 wherein the working key is determined using the secret initial key K_(in).
 8. The method of claim 7 wherein said determining a quasigroup comprises: receiving the secret initial key K_(in); padding the key; expanding the padded key to a predetermined size; transforming the expanded key using the initial quasigroup; transforming the initial quasigroup to the determined quasigroup using the expanded key.
 9. The method of claim 8 wherein said determining the working key comprises: selecting a subset of the expanded key.
 10. The method of claim 6 wherein said generating a keystream comprises: a) setting a counter $\left. {Counter}\leftarrow 0 \right.;{p = \left\lbrack \frac{m}{2} \right\rbrack};$  where m is the length of the working key; b) assigning an initial temporary variable X←K[Counter mod n]; c) assigning an initial temporary variable T←K[Counter+p mod n]; d) determining a temporary variable X according to for i=0 to m−1 do begin X←K _(i)*X; T←T•X; K _(i)←X; end; assigning K_(m−1)←T; e) providing the output stream Output: X{circle around (× )}Input; where Input comprises a part of the input stream; f) Counter←Counter+1; g) go to b); wherein said producing an output stream comprises performing step e) and • is an arbitrary quasigroup operation.
 11. The method of claim 1 wherein the initial quasigroup is secret.
 12. A method of encrypting a message using a self synchronized stream cipher, the method comprising: determining a quasigroup of r² order that is an autotope of an initial quasigroup based on a secret initial key K_(in) of selectable length n in r-bit letters; determining a working key; encrypting the message as a function of the determined working key, the determined quasigroup, and a fixed number of previous letters of the encrypted message.
 13. The method of claim 12 wherein the working key is determined using the secret initial key K_(in).
 14. The method of claim 13 wherein said determining a quasigroup comprises: receiving the secret initial key K_(in); padding the key; expanding the padded key to a predetermined size; transforming the expanded key using the initial quasigroup; transforming the initial quasigroup to the determined quasigroup using the expanded key.
 15. The method of claim 14 wherein said determining the working key comprises: selecting a subset of the expanded key of length n.
 16. The method of claim 12 wherein said encrypting comprises: a) setting $\left. {Counter}\leftarrow 0 \right.;{p = \left\lbrack \frac{n}{2} \right\rbrack};$ b) determining a key value K₀←K₀*(M_(Counter)*K_(Counter+p mod n)); c) for i=1 to n−1 do begin K _(i) ←K _(i)*K _(i−1); end; d) determining an output C_(Counter)=K_(n−1); e) setting Counter←Counter+1; f) go to b).
 17. A method of decrypting an encrypted message using a self synchronized stream cipher, the method comprising: determining a quasigroup of r² order that is an autotope of an initial quasigroup based on a secret initial key K_(in) of selectable length n in r-bit letters; determining a working key; decrypting the message as a function of the determined working key, the determined quasigroup, and a fixed number of previously-determined letters of the decrypted message.
 18. The method of claim 17 wherein the working key is determined using the secret initial key K_(in).
 19. The method of claim 18 wherein said determining a quasigroup comprises: receiving the secret initial key K_(in); padding the key; expanding the padded key to a predetermined size; transforming the expanded key using the initial quasigroup; transforming the initial quasigroup to the determined quasigroup using the expanded key.
 20. The method of claim 19 wherein said determining the working key comprises: selecting a subset of the expanded key of length n.
 21. The method of claim 17 wherein said decrypting comprises: a) setting $\left. {Counter}\leftarrow 0 \right.;{p = \left\lbrack \frac{n}{2} \right\rbrack};$ b) assigning a temporary variable X←K_(n−1), K_(n−1)←C_(Counter); c) for i=n−2 down to 0 do begin Y←K_(i) K _(i) ←X\K _(i+1); K←Y end; d) determining a decrypted output: M_(Counter)=(X\K₀)/K_(Counter+p mod n); e) setting Counter←Counter+1; f) go to b), wherein \ and / are parastrophic operations of determined quasigroup *.
 22. The method of claim 17 wherein the initial quasigroup is secret. 23-47. (canceled) 